logo

ValleyRAT Uses RC4 Encryption, Donut Shellcode, and rundll32 Injection for Stealth

ID: a00c6290-cdc0-51a0-abdd-eb0e83ff1414

STIX ID: report--a00c6290-cdc0-51a0-abdd-eb0e83ff1414

Feed Name: GBHackers

Threat Score
75/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Mayura Kathir

...
...

LevelBlue reports a surge in ValleyRAT activity (increasing from May 2025 into 2026) using two primary vectors—fake installers and targeted malicious emails (Chinese- and Japanese-language lures)—that employ RC4-encrypted payloads, Donut-generated PIC shellcode, DLL sideloading, and in-memory injection via suspended rundll32 to evade detection; the report provides sample IOCs (hashes, domain, URL/IP), evidence of leak-derived detection methods, and mitigation advice including email hygiene, blocking suspicious ZIP links, and EDR/behavioral hunting for DLL sideloading and in-memory execution.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.