ValleyRAT: Adding Insult to Injury
It’s a tough economy out there. There are more job seekers than positions, and the process for applying to them has changed dramatically over the last few years (thanks, covid). There is also an aspect of many companies not actually knowing what they need or want out of an applicant. Or they’re using AI to filter applications, very often disregarding qualified people because of missing keywords, which is another rant entirely that I won’t get into here. All of this means that more research into a potential job is being required by applicants than ever before. The act of finding a job has become a job in and of itself. And threat actors are taking advantage of it.
Trend Micro released a report yesterday detailing their findings on ValleyRAT, a remote access Trojan currently being deployed in a campaign targeting those actively job hunting. Aside from the usual email phishing tactics containing malicious attachments, ValleyRAT is also utilizing a weaponized Foxit PDF reader, thereby creating a dynamic-link library (DLL) side load to gain access to a device for the purpose of data scraping.
I feel like this is a particularly insidious campaign, making victims of those who are likely already frustrated by a job market that sees them as disposable. I’ve been in the trenches of unemployment, and to consider suffering the indignity and stress of that compounded by the risk of having all my personal data stolen is enraging. I will acknowledge, however, that the tactic is a clever one. The aforementioned stress and frustration aids in lowering caution, and works to the benefit of whoever is behind this attack to spread the RAT more comprehensively. People desperate for work will reach out for whatever they can find, diligence thrown to wayside.
Legitimate PDF’s download in a specific file format, .pdf. Anything that downloads as .exe means it’s an executable file and should be considered a huge red flag for something that should not be executing anything. It’s the sort of simple difference that was once common knowledge, but in an era when basic computer literacy is dropping, it bears reiterating. Most RAT’s sneak into a device this way, as an executable disguised as something else. That’s why they’re called Trojan horse viruses, after all.
Trend Micro’s report has diagrams detailing the chain of infection and metrics of their study, as well as an image of a decoy being used in the campaign. Besides the executable nature of the download, I also immediately saw a typographical error in the decoy, another red flag (‘commition’ instead of commission).
ValleyRAT contains files with Python scripts hidden within zip executables masked as document files. These files and commands establish persistence, with the user unaware that it’s running in the background stealing their browser data. Trend Micro also found a number of other typical characteristics of a RAT, most of which are familiar to anyone in the industry, but less well known by the layperson: self-signed authentication structures, outdated versions of TLS, long validity periods, and of course, the hijacked legitimate source.
It is a tough economy out there. But it never pays to let down your guard when you’re job hunting. RAT’s are at least easier to remediate than many other malware families. And your friendly neighborhood WISP is always here to help.
Posted on LinkedIn, 12/4/25













