ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Key takeaways
- ValleyRAT targets job seekers in a campaign spreading through email, disguising itself behind a weaponized Foxit PDF reader and performing dynamic-link library (DLL) side-loading to gain a foothold in the system.
- As a remote access trojan (RAT), a ValleyRAT attack can lead to threat actors gaining control of systems, monitoring activity, and stealing sensitive data.
- The campaign targets job seekers and can also potentially affect those working in human resources (HR), such as recruiters and sourcing specialists.
- Trend Vision One™ detects and blocks the indicators of compromise (IoCs) discussed in this blog. Trend Micro customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign.
Cybercriminal operations continue to escalate in both aggressiveness and sophistication, achieving greater impact through the strategic integration of multiple methods. The campaign investigated in this article demonstrates a layered application of tried-and-tested techniques: social‑engineering lures targeting job seekers, obfuscation through deeply nested directory paths, and execution via DLL sideloading.
This coordinated approach directly contributes to the malware’s high rate of success, a factor corroborated by the notable increase in ValleyRAT detections observed in our telemetry.
Recent observations show that beyond their usual targets of Chinese-speaking users, ValleyRAT actors now appear to be going after job seekers in general as well, as evidenced by English-language filenames found in their malicious archive packages.
Because job seekers constantly watch out for new opportunities, they might download attachments quickly and overlook warning signs. The emotional strain of the job search can reduce caution, making them more inclined to trust messages that appear to come from potential employers.
One common entry vector we’ve observed is email-based job lures. Archive files, with filenames such as Overview_of_Work_Expectations.zip, Candidate_Skills_Assessment_Test.rar, or Authentic_Job_Application_Form.zip, are deliberately crafted to take advantage of the curiosity and sense of urgency among job seekers.
To bypass initial scrutiny, these compressed files often masquerade as legitimate HR documents while actually containing malicious payloads.
Likewise, this ValleyRAT campaign also abuses Foxit. The archive file from the email lure contains a renamed version of FoxitPDFReader.exe, designed to make the attack more stealthy and provide a controlled way to load malicious code. For example, the file analyzed in this article is Compensation_Benefits_Commission.exe, still named with a recruitment-related bait. This executable also uses the Foxit logo as its icon to look more convincing.
Upon seeing the Foxit logo, most users would assume that the file is in the popular PDF (.pdf) format and might not notice that it is actually an executable (.exe). Cybercriminals often abuse .exe files to exploit the Windows DLL search order mechanism for DLL side-loading.
The screenshot below shows what the users see after clicking the malicious file from the archive. The PDF which is bundled in the package, displays job details and salary information, probably fake or merely copied from job boards:
Unknown to the user, as they pore over the details of the document, the ValleyRAT payload has begun running silently in the background.
ValleyRAT techniques
This diagram above traces the entire stealthy infection path—starting with a malicious archive file containing a FoxitPDFReader.exe disguised as a document, loading a malicious msimg32.dll, and ending with ValleyRAT, stitched together by DLL side-loading, script executions, and .NET reflection loading.
Besides FoxitPDFReader.exe, the archive file contains a malicious hidden msimg32.dll, along with other files and folders intended to enhance the deception. There is also another hidden folder named “Document”.
Viewing the file through its folder tree shows, besides the disguised executable and the DLL file, other concealed files. Typical-looking project folders coexist with a hidden Document directory containing a long chain of underscore-named subfolders, ending in files like Shortcut.lnk and “document” files, showing attempts for obfuscation or concealment.
The batch file, document.bat, uses the document.docx file to extract the contents of the document.pdf file. The document.docx file is actually a disguised 7zip executable, allows the extraction of an archived Python environment hidden within the document.pdf file.
This method ensures that the Python script can be executed on the target system even if Python is not pre-installed, leveraging the document.bat script to automate the process. Such tactics demonstrate the attackers’ ingenuity in bypassing security measures and executing their payload with minimal user awareness.
Following extraction, the batch file invokes the Python interpreter to execute the malicious Python script, facilitating payload deployment.
After the batch file extracts the content of document.pdf (Python environment) using document.docx (7zip.exe), an encoded base64 is downloaded from 196[.]251[.]86[.]145, containing the Python script that serves as a shellcode loader.
The python.exe was renamed as “zvchost.exe” and runs the script using the “-c” parameter, as can be seen in the pseudocode. It also creates an autorun registry entry to make it persistent in the system.
The attack steals data from the user’s internet browsers.
Probing the malicious file’s certificate that was captured in network logs of sandbox analysis tool, to exhibits characteristics commonly seen in certificates used by AsyncRAT-style SSL and off-the-shelf C&C frameworks as part of its secure communication. These include a self-signed structure, a randomized common name, outdated TLS versions, and an extremely long validity period, which are traits frequently produced by automated certificate generators built into many RAT builders.
The analysis highlights how ValleyRAT operators exploit the emotional and psychological vulnerabilities of job seekers, preying on their eagerness to secure employment. Their tactics also involve misusing legitimate software like Foxit Reader through DLL sideloading and deceptive techniques.
By understanding these methods, users can better identify potential threats and take proactive steps to safeguard their systems. Robust security awareness training plays a vital role in helping individuals detect and avoid such sophisticated attacks, ultimately reducing the likelihood of compromise.
Proactive security with Trend Vision One™
Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management and security operations, delivering robust layered protection across on-premises, hybrid, and multi-cloud environments.
Trend Vision One™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend™ Research on emerging threats and threat actors.
Trend Vision One Threat Insights
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Suspicious Command — Executable/BAT in Deep Underscore Path
processCmd: /(\_){10,}\.*(exe|bat)/
More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled.
Indicators of Compromise (IoC)
About Author
