ValleyRAT Uses RC4 Encryption, Donut Shellcode, and rundll32 Injection for Stealth
ID: a00c6290-cdc0-51a0-abdd-eb0e83ff1414
STIX ID: report--a00c6290-cdc0-51a0-abdd-eb0e83ff1414
Feed Name: GBHackers
LevelBlue reports a surge in ValleyRAT activity (increasing from May 2025 into 2026) using two primary vectors—fake installers and targeted malicious emails (Chinese- and Japanese-language lures)—that employ RC4-encrypted payloads, Donut-generated PIC shellcode, DLL sideloading, and in-memory injection via suspended rundll32 to evade detection; the report provides sample IOCs (hashes, domain, URL/IP), evidence of leak-derived detection methods, and mitigation advice including email hygiene, blocking suspicious ZIP links, and EDR/behavioral hunting for DLL sideloading and in-memory execution.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
