ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

Dec. 3, 2025, 10:57 a.m.

Description

A ValleyRAT campaign is targeting job seekers through email, disguising itself as a Foxit PDF reader and using DLL side-loading for initial system access. The campaign exploits job seekers' eagerness by using recruitment-related lures in archive files. The attack employs sophisticated techniques, including obfuscation through nested directories and execution via DLL sideloading. Once activated, ValleyRAT can lead to system control, activity monitoring, and data theft. The campaign's success is evident from a spike in ValleyRAT detections. It demonstrates the integration of social engineering, legitimate software abuse, and advanced malware techniques to exploit vulnerabilities in both systems and human psychology.

External References

https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
https://otx.alienvault.com/pulse/693003144213e15e12b947d5
Tags
social engineering
data theft
valleyrat
dll side-loading
remote access trojan
job seekers
2025-12-03
foxit pdf reader

Date

  • Created: Dec. 3, 2025, 9:29 a.m.
  • Published: Dec. 3, 2025, 9:29 a.m.
  • Modified: Dec. 3, 2025, 10:57 a.m.

Indicators

  • ff84bb121533144fc87c314a9d50c16dd15bb7d8f036c777e0a6c1dc7395e000
  • f75c4d6c989c03c339ead7708227f22d30b9a5f4f433bbe29391a1003aa85d85
  • f49ba5d85a7be63599346097278c1af49ab6c1bea82e422462057c78641d54d4
  • e65b359519b912139ae7ab3ac77c667c5411d2264a1d75166ae2dfffefe2efaa
  • ce1be9e4b2fd0f3958720f9bc2ae9d545bc0e27dcf1042b64a70f1fc62884610
  • cb30d5b932a461601deaf2ef76476e216c7d2a99ea7c280cadbe6510b2997080
  • cabd71a7a4df7fa6b5ffe0f22354953b5d278c5b2626af8bfba0ba726acc59ef
  • c3f09771a248daede16382ec9484c6a626e2f289c095164eea97170f3e4a6769
  • bb21ec0bb2b94c5471ed7c768cc999808a42e985955384f6af360caa0c640d6c
  • 9b0afe79696ccb263b8a00c75c021d115f152283714c0e4c5075aad4e52b94f9
  • a32fa6ba08db96ebd611f6ee06da44b419d569a6bac43ed00c68d6ca674004c3
  • 99af1fe7e00d4d82bc6ae4440ad3528202a8a6234038fcde15e78dfea79dac2a
  • 8a18b8826daafc4a84d49299013c5cabe95dd9159ea5d5f1fb5872a6d70666e6
  • 8046fe163a0ab581df7ea7c86788d7dca42f70fac95023dfb36d9281ad3463d9
  • 7e8415e2744be160b7d7c600a401de41554c1357c2d2d35c85f8be8068cbc649
  • 6ec18bf62078bb2661b2d0cadf0314ea44fc67da786c28456869b0102eea235c
  • 6266d87b93e8129b0b606971f0c9e00214abadbc758769bd9cf456c6e0ad8b6e
  • 3b2d397f308e00f6ef5ae4a368b6ec9a1b5791b883583d104949d80711f5789f
  • 28fb1c360663b13a4f918b76a12bdc6f7532896eabf8200bddb63319c92bad26
  • 2261efb7516dd49edd3bface0c769a531c37ce0ca6832871768f622abb0f1f71
  • 216cd0ccc129a612082bddf2502a58aef6b1c22ea07a18a58e4e8315d6ea3fbb
  • 074400e2f09312081c29e905a9d24f70cfc5f535cd1dcaaca31e33586c7b01bc
  • 0010c5caa8311201cd3b0e335a3936e7d1143362d98f4b5a57ef780dcdc1ca5a
  • 196.251.86.145
  • 154.90.58.164
Download all indicators here!

Attack Patterns

  • ValleyRAT
  • ValleyRAT