Hackers Deploy ValleyRAT via Legitimate VLC Executable Using DLL Sideloading
Attackers are leveraging a DLL sideloading technique with the legitimate VLC media player executable to deploy the sophisticated ValleyRAT remote access trojan.

Cybercriminals are employing a sophisticated DLL sideloading technique to deploy the ValleyRAT remote access trojan (RAT) by abusing the legitimate VLC media player executable. This campaign, identified by researchers at LevelBlue, begins with phishing emails that trick recipients into downloading a malicious ZIP archive. The archive contains a legitimate-looking VLC executable paired with a compromised libvlc.dll file, designed to bypass security defenses.
The attack chain is initiated when a victim clicks a link in a phishing email, typically themed around personnel transfers or salary changes, leading to the download of a ZIP archive. This archive contains two files: one disguised as a VLC executable with a Japanese filename related to the email's subject, and a malicious libvlc.dll. The executable's internal file description and hash match a genuine VLC build, while the DLL is a component that VLC normally relies on for its functionality.
Upon execution, the disguised VLC executable loads the malicious libvlc.dll automatically. This technique, known as DLL sideloading, allows the harmful code to run under the guise of a trusted application. The malware then copies both files to a designated directory and establishes persistence by creating a registry entry that ensures the executable relaunches upon system reboot. Subsequently, it contacts a remote command-and-control (C2) server to download the final ValleyRAT payload.
ValleyRAT employs several advanced evasion tactics to thwart analysis in sandbox or virtualized environments. Before executing its malicious functions, the malware performs checks on available memory, processor core count, and the responsiveness of sleep commands. If these checks indicate the presence of a monitoring environment, the malware ceases its operation, making it difficult for security researchers to observe its true behavior. Additionally, the malware's code is padded with numerous meaningless functions to slow down reverse engineering efforts.
A particularly concerning aspect of this campaign is its fileless execution capability. The downloaded ValleyRAT payload, encrypted using RC4, is decrypted directly in memory and injected into a suspended system process. This fileless approach ensures that no malicious file is written to disk, significantly hindering detection by traditional antivirus solutions that rely on file scanning.
Researchers recommend several mitigation strategies for organizations. These include training employees to identify suspicious elements in emails, such as unusual filenames, mismatched file descriptions, and business communications originating from free webmail domains. Implementing endpoint detection solutions capable of identifying DLL sideloading and unusual process injection techniques is also crucial. For compromised systems, immediate network isolation and thorough log review are advised, with a full operating system reinstall being the safest option in severe cases.
The campaign, which has seen a sharp increase in activity through 2025 and into 2026, primarily targets Chinese and Japanese-speaking users but poses a broader risk to global organizations. The use of familiar software like VLC to deliver advanced threats like ValleyRAT underscores the importance of vigilance and layered security defenses.
The latest campaign activity has seen a sharp increase, nearly doubling compared to the previous year, with threat actors specifically targeting Chinese and Japanese speaking users through phishing emails related to personnel transfers or salary changes. Researchers also noted that the malware employs sophisticated evasion tactics, including checks for virtual environments and large amounts of junk code to hinder reverse engineering, before executing the final payload filelessly in memory.