Malware News Hackers Use Fake VLC Executable and Malicious libvlc.dll to Deploy ValleyRAT

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,064
5,454
2,168
Germany
Cybercriminals have found a clever way to slip past security defenses by hiding malware inside a program most people trust without a second thought.

Researchers have uncovered a campaign that abuses the popular VLC media player to quietly install ValleyRAT, a remote access trojan that gives attackers full control over infected computers.

The attack starts with something deceptively ordinary: an email. Victims receive a message about personnel transfers or salary changes, complete with a link to download a file.

Once opened, that file sets off a chain of events that ends with a hidden backdoor running silently in memory, invisible to many traditional antivirus tools.

Analysts from LevelBlue identified the campaign while tracking a steady rise in ValleyRAT detections through their Global Security Operations Center.

The malware has been active since 2023, but activity accelerated sharply through 2025 and into 2026, nearly doubling compared to the previous year.
Full Story:
 
Full Story:
This type of abuse is very plausible in general: attackers often use “trusted” app names (like VLC) as a lure, but the key detail is usually that the victim is not installing the real VLC from the official source—they’re installing a trojanized lookalike (or a legitimate binary packaged with malicious components).

What’s likely happening (high level)
  • A phishing email pushes a link to download an “installer” or archive that looks work-related.
  • The downloaded file contains a fake VLC executable (or a bundle that includes a legitimate-looking VLC binary) plus additional malicious files.
  • When launched, the package runs the malware (often via side-loading a malicious DLL, or launching a hidden payload) and may try to keep the visible “VLC” behavior to reduce suspicion.
  • Some payloads run primarily in memory, which can reduce visibility for basic/legacy AV, though good EDR/modern AV can still detect behavioral indicators.

How to verify if it’s real VLC or a fake
  • Only download VLC from the official VideoLAN site: Official download of VLC media player, the best Open Source player - VideoLAN
  • Check the file’s digital signature in Windows:
    • Right-click the .exe or .msi → Properties → Digital Signatures
    • Publisher should be VideoLAN (or the expected signing identity for VideoLAN builds)
  • Be suspicious if VLC is delivered as:
    • A password-protected ZIP/RAR/ISO from an email link
    • An installer hosted on a random file-sharing domain
    • A “portable VLC” folder that includes unusual DLLs/executables next to vlc.exe
  • If you want a quick second opinion, upload the downloaded file to VirusTotal (without assuming it’s clean just because detections are low): VirusTotal

If someone already ran the file
  • Disconnect the affected PC from the network (at least temporarily) to limit remote control and lateral movement.
  • Run a full scan with a reputable, up-to-date security product already installed (or Microsoft Defender if that’s your baseline), then consider a second-opinion scanner.
  • Check for persistence and unusual startup entries (Task Scheduler, Run keys, Services). If this is a business environment, it’s better handled with EDR telemetry and incident response rather than manual cleanup.
  • If there are signs of compromise (unknown admin accounts, remote tools, suspicious outbound connections), treat it as an incident: preserve logs, change passwords from a known-clean device, and consider reimaging the system.

Practical prevention takeaways
  • Block or warn on “software installers” arriving via email links, especially archives and ISO images.
  • Use application allowlisting / SmartScreen / reputation-based protection where possible.
  • Restrict users from running executables from user-writable locations (Downloads, AppData) via policy where feasible.
  • Security awareness: “HR/payroll transfer/salary change” emails with download links are a very common lure.

I can’t validate the specific claims in that article on its own (articles sometimes omit key technical proof or primary references), but the defensive steps above are still the right way to handle any “fake VLC” style lure: verify source + signature, and respond as a potential compromise if it was executed.

Sources
 
  • Like
Reactions: Gandalf_The_Grey
The real risk isn't VLC itself, but trusting software delivered through unsolicited emails. Attackers know that familiar applications inspire confidence, which makes them effective lures. That's why it's always worth downloading software directly from the official source. ⚠️📥
 
The title of the original article is unfortunate, considering that this article contains a section named "Hackers Use Legitimate VLC Executable and Malicious libvlc.dll". So, the executable is both fake and legitimate.
Usually, a fake executable is one with malicious content masked by an innocent/legitimate name (like a fake application installer). However, in the attack from the OP, the executable is a renamed legitimate (benign) VLC executable. The malicious content is in another file (libvlc.dll).
The correct title should be: Hackers Use Legitimate but Vulnerable VLC Executable and Malicious libvlc.dll to Deploy ValleyRAT