ValleyRAT Job Seeker Campaign

Written By David Vineyard

Targeted Sectors

·         Human Resources (HR)

·         Staffing/Recruitment

·         Job Seekers

Countries

·         Global

BLUF

A campaign is actively using phishing emails with weaponized Foxit PDF readers to deliver the ValleyRAT malware via DLL side-loading. The primary goal is system control and data theft from job seekers and HR personnel.

Date of First Reported Activity

·         December 3, 2025

Date of Last Reported Activity Update

·         December 3, 2025

APT Names

·         Unknown at this time

Associated Criminal Organization Names

·         Unknown at this time

IOCs

·         File hashes for specific malicious Foxit PDF reader installers

·         Key C2 domains and IPs identified in reporting include:

o   app.jinanjinyu.work

o   app.maitangou.work

o   app.jiangsuzhaochu.work

o   app.rongxingu.work

o   app.xinrendu.work

o   app.owps.work

o   app.awps.work

o   pan.tenire.com (used for payload delivery)

o   anizom.com

o   kalost.club

o   154.39.255.141:5689

CVEs

·         Not currently applicable

o   Abuses legitimate software functionality and DLL side-loading, not a specific CVE in the PDF reader itself

Nessus ID

·         Not currently applicable

Patching/Mitigation Data

Mitigation

·         Provide employee awareness training on recognizing phishing emails and suspicious job-related attachments.

·         Use email security solutions to scan and block malicious attachments.

·         Ensure endpoint detection and response (EDR) solutions are configured to detect DLL side-loading behaviors.

Malware Names

·         ValleyRAT

·         Foxit PDF reader

o   abused legitimate application

Malware Samples

ValleyRat

Sha256

·         ae857addc8eb51dbfa7d0a76b19dae7a6f275f7bf1042d1c982aca4f80ce635e

o   downloader component

·         3f7819debdca5df5a6cd50147b51bceba12c5e0f8a6961b1612777080496dde1

o   Loader component

·         190d493255c71f3cebb968c197aeef67c62d597b488c4a0b8cd77751e5999b94

o   Dropper component

Link to sample

hxxps://www.virustotal.com/gui/file/ae857addc8eb51dbfa7d0a76b19dae7a6f275f7bf1042d1c982aca4f80ce635e

hxxps://www.virustotal.com/gui/file/3f7819debdca5df5a6cd50147b51bceba12c5e0f8a6961b1612777080496dde1

hxxps://www.virustotal.com/gui/file/190d493255c71f3cebb968c197aeef67c62d597b488c4a0b8cd77751e5999b94

 

TTPs

·         T1566.001: Phishing: Spearphishing Attachment (delivery method)

·         T1574.002: Hijack Execution Flow: DLL Side-loading

·         T1071.001: Application Layer Protocol: Web Protocols (C2)

·         T1005: Data from Local System

Suggested rules / potential hunts

These are indicators, they are likely to be noisy

Suggested Suricata Rules

alert http any any -> any any (msg:"Detect ValleyRAT DLL side-loading C2 traffic"; flow:established; ...;reference:url,hxxps://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html;)

Suggested Sentinel Rules

Detection rule for processes spawning from common email/PDF applications that then perform suspicious network connections or create new users.

Suggested Splunk Hunts

index=* sourcetype=sysmon_event_id_1 "process.image" IN ("FoxitReader.exe", "dllhost.exe") | where process_name="malicious_dll_name.dll" | stats count by dest, user

Delivery Method

·         Phishing emails containing weaponized PDF reader files that execute the malware upon opening.

Email Samples

From

Will vary

Subject

URGENT: Job Offer & Next Steps - [Your Name/Job Title] - [Company Name]

From: [Hiring Manager Name] <hr-noreply@[legitimate-company-domain-spoofed.com]> (Note: The domain is often spoofed or uses a freemail address like Outlook or Hotmail)

Body

Dear [Your Name],

Thank you for your application to the [Job Title] position.

We were impressed by your resume and would like to move forward with the next steps of our recruitment process. We have attached a document titled "Overview_of_Work_Expectations.zip" (or ".rar") that contains the essential details, including the compensation and benefits package and the final application form.

Please review the attached documents carefully. We ask that you fill out the application form and return it to us within the next 24 hours to proceed with scheduling your final interview.

We look forward to hearing from you soon.

Best regards,

[Hiring Manager Name]

[Title]

[Company Name]

[Phone Number]

References

TrendMicro

·         hxxps://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html

Virustotal

·         hxxps://www.virustotal.com/gui/file/ae857addc8eb51dbfa7d0a76b19dae7a6f275f7bf1042d1c982aca4f80ce635e

·         hxxps://www.virustotal.com/gui/file/3f7819debdca5df5a6cd50147b51bceba12c5e0f8a6961b1612777080496dde1

·         hxxps://www.virustotal.com/gui/file/190d493255c71f3cebb968c197aeef67c62d597b488c4a0b8cd77751e5999b94

MalwareBazaar

·         hxxps://bazaar.abuse.ch/browse/signature/ValleyRAT/

·         hxxps://bazaar.abuse.ch/sample/e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4/

·         hxxps://bazaar.abuse.ch/sample/dd18a62c3dd7f48ddabf288d271cad000e51d629c17f1e5f70127b3dc117ed30/

·         hxxps://bazaar.abuse.ch/sample/c7c33403bf5f1c1d43cf18b4604d0152b0cd631df147f3fdbb318d5aa7e745ed/

Picus Security (Dissecting ValleyRAT blog):

·         hxxps://www.picussecurity.com/resource/blog/dissecting-valleyrat-from-loader-to-rat-execution-in-targeted-campaigns

Picus Security (Silver Fox APT blog)

·         hxxps://www.picussecurity.com/resource/blog/silver-fox-apt-targets-public-sector-via-trojanized-medical-software

Fortinet

·         hxxps://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers

Check Point Software

·         hxxps://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/

Zscaler

·         hxxps://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

David Vineyard
Previous

Salesforce-Gainsight Data Breach
Next

NotePad++ malicious AutoUpdate