Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
ValleyRAT malware campaign cleverly targets job seekers worldwide by disguising malicious payloads as convincing recruitment documents using familiar company names, trusted logos, and sophisticated technical obfuscation techniques. This ValleyRAT attack campaign discovered at the end of October 2025 exploits the emotional vulnerability of job seekers by delivering malware through files with names like Overview_of_Work_Expectations.zip and Candidate_Skills_Assessment_Test.rar. The ValleyRAT infection chain abuses legitimate Foxit PDF software, deploys malicious DLL sideloading techniques, and bundles portable Python environments to execute stealthy payloads in the background while victims believe they are opening harmless job application files. The ValleyRAT malware operation ultimately steals browser credential data and maintains persistent access through stealthy Windows registry modifications, all while masking malicious activity from security detection. This ValleyRAT campaign highlights how emotional vulnerability and the urgency of finding employment can be just as powerful an exploitation tool for threat actors as the sophisticated malware techniques they deploy against unsuspecting job seekers.
Cybercriminal activity continues to grow more aggressive and refined, with ValleyRAT attackers blending social engineering tactics, heavy obfuscation techniques, and DLL sideloading methods to improve infection success rates. The recent ValleyRAT campaign illustrates how effective this layered approach can be, marked by a notable spike in ValleyRAT malware detections worldwide. What began as ValleyRAT activity aimed primarily at Chinese-speaking users has now broadened to include English-speaking job seekers globally, an audience more likely to trust documents disguised as legitimate hiring materials from recognizable companies.
Job seekers, often optimistic and anxious for new employment opportunities, can easily drop their security guard when presented with convincing recruitment files in the ValleyRAT campaign. Threat actors capitalize on this emotional vulnerability by using filenames such as Overview_of_Work_Expectations.zip, Candidate_Skills_Assessment_Test.rar, and Authentic_Job_Application_Form.zip, which appear routine in typical hiring processes. These ValleyRAT malicious files conceal dangerous malware components behind the façade of HR documentation, making unsuspecting job applicants far more likely to open them without proper security verification.
A central element of the ValleyRAT campaign is the sophisticated misuse of legitimate Foxit PDF software. ValleyRAT attackers embed a renamed FoxitPDFReader.exe within their malicious archive files, presenting it as a legitimate hiring document, sometimes under deceptive names like Compensation_Benefits_Commission.exe. By replicating the recognizable Foxit logo, ValleyRAT operators lead victims to believe they are opening a simple PDF document. The executable silently loads malicious code in the background through DLL sideloading techniques, enabling ValleyRAT malware to execute while the user focuses on the decoy recruitment content.
The ValleyRAT infection chain itself is intricate and sophisticated. The disguised FoxitPDFReader.exe loads a malicious msimg32.dll file, which is crucial for triggering the ValleyRAT payload execution. The malicious archive also contains hidden directories and files intended to enhance the illusion of legitimacy, including a Document folder filled with innocuous-looking subfolders and disguised LNK shortcuts. A batch script named document.bat uses a doctored document.docx file that also serves as a 7-Zip executable to extract document.pdf, which contains an embedded portable Python environment. This ValleyRAT technique ensures the malicious script executes even if Python is not already installed on the victim’s system.
From the initial infection, ValleyRAT attackers run an encoded Base64 Python script that serves as a shellcode loader, contacting external IP addresses to retrieve the final malware payload. The Python interpreter itself is renamed to avoid security detection suspicion, and ValleyRAT persistence is established via autorun registry entries. The ValleyRAT malware ultimately focuses on harvesting personal credential data from victim web browsers. Network analysis of captured certificates reveals common hallmarks of AsyncRAT infrastructure, including self-signed certificates, random common names, deprecated TLS protocols, and unusually long validity periods, pointing to the automated tooling often used in commodity RAT operations. This ValleyRAT campaign serves as a critical reminder that in today’s threat landscape, staying vigilant and questioning even the most convincing job recruitment files is essential to keeping both personal data and systems secure from sophisticated malware attacks.
Be Cautious with Unexpected Job-related Files: If you receive a ZIP, RAR, or EXE file claiming to be a job description or skills assessment, double-check the sender’s legitimacy through official company channels. Legitimate recruiters rarely send executable files for job applications. When in doubt, contact the supposed sender directly through verified contact information to prevent ValleyRAT infection.
Look Closely at File Extensions and Icons: A malicious file may look like a PDF document, but it could be an EXE executable hiding behind a familiar Foxit logo used in ValleyRAT campaigns. Always hover over the file or check its properties before opening anything unfamiliar. Be particularly suspicious of files that claim to be PDFs but have executable extensions.
Use Multi-factor Authentication (MFA): If ValleyRAT attackers manage to steal your browser credential data or passwords, MFA can prevent them from accessing your online accounts even with compromised credentials. Implement MFA on all sensitive accounts including email, banking, and professional networking platforms.
Avoid Running Files That Require You to Enable Content or Install Additional Components: Documents that ask for special permissions, script execution, or extra software installation are major red flags and should be treated with extreme skepticism. ValleyRAT malware relies on users executing embedded scripts and Python environments to complete the infection chain.
Enhance Endpoint Protection: Deploy next-generation antivirus and endpoint detection and response solutions to identify and block ValleyRAT malware. Leverage behavioral analysis and machine learning-based detection to spot suspicious activity including DLL sideloading, Python script execution, and registry modification patterns associated with ValleyRAT campaigns.
SHA1 Hashes: ebcfc4f6c6e63b75dc407f5e76c9d96c69c3c1b6, 5cb888c87b15ec998c638892ad382dc68efb7f94, 65fec70eaca638cbd10a6774e4e67f2d55f63959, 9eb12480a9e3be552c88960d45beeacfb3b2444b, 0227738e5a98622ea88a2f09527618a6fc4b9be9, and numerous additional file hashes associated with ValleyRAT malware campaign samples.
SHA256 Hashes: a32fa6ba08db96ebd611f6ee06da44b419d569a6bac43ed00c68d6ca674004c3, 7e8415e2744be160b7d7c600a401de41554c1357c2d2d35c85f8be8068cbc649, and numerous additional file hashes associated with ValleyRAT malware variants.
URLs: hxxp[:]//196[.]251[.]86[.]145/huna, hxxp[:]//51[.]79[.]214[.]125/huna
IPv4:Port: 154[.]90[.]58[.]164[:]56001
Filenames: Overview_of_Work_Expectations.zip, Candidate_Skills_Assessment_Test.rar, Authentic_Job_Application_Form.zip
ValleyRAT malware campaign demonstrates tactics spanning Initial Access (TA0001) via Phishing and Spearphishing Attachment (T1566, T1566.001), Execution (TA0002) through User Execution of Malicious File (T1204, T1204.002) and Command and Scripting Interpreter including Windows Command Shell (T1059.003) and Python (T1059.006), Persistence (TA0003) via Boot or Logon Autostart Execution and Registry Run Keys/Startup Folder (T1547, T1547.001), Privilege Escalation (TA0004), Defense Evasion (TA0005) using Hijack Execution Flow through DLL sideloading (T1574, T1574.001), Obfuscated Files or Information (T1027), Masquerading (T1036) including Match Legitimate Resource Name or Location (T1036.005), and Deobfuscate/Decode Files or Information (T1140), Credential Access (TA0006) from Password Stores (T1555) and Web Browsers (T1555.003), Discovery (TA0007) including File and Directory Discovery (T1083), Exfiltration (TA0010) Over C2 Channel (T1041), and Command and Control (TA0011) via Application Layer Protocol and Web Protocols (T1071, T1071.001).
https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
https://hivepro.com/threat-advisory/operation-silk-lure-scam-when-job-hunts-leads-to-malware/
Get through updates and upcoming events, and more directly in your inbox