{ "id": "92f4cdb8-5728-46a6-9ff7-e88af62e2f01", "created_at": "2026-04-06T00:15:20.656279Z", "updated_at": "2026-04-10T13:12:04.813311Z", "deleted_at": null, "sha1_hash": "56d62eab588cb53bd6acb7d97848dbe3a7a5b570", "title": "Evolution of Valak, from Its Beginnings to Mass Distribution", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 23996901, "plain_text": "Evolution of Valak, from Its Beginnings to Mass Distribution\r\nBy Brad Duncan\r\nPublished: 2020-07-24 · Archived: 2026-04-05 14:26:43 UTC\r\nExecutive Summary\r\nFirst noted in late 2019, Valak is an information stealer and malware loader that has become increasingly common\r\nin our threat landscape. From April through June of 2020, we saw waves of Valak malware two to four times a\r\nweek on average through an email distribution network nicknamed Shathak or TA551. Characteristics of Valak\r\ninclude:\r\nValak relies on scheduled tasks and Windows registry updates to remain persistent on an infected Windows\r\nhost.\r\nValak uses Alternate Data Stream (ADS) as a technique to run follow-up malware on an infected host.\r\nRecent Valak infections show an increase in obfuscated code for configuration scripts used during the\r\ninfection, possibly as an attempt to avoid detection.\r\nSince April 2020, we have seen a great deal of Valak malware distributed by an actor sometimes referred to\r\nas Shathak/TA551.\r\nThis blog covers the history of Valak, reviews the chain of events for an infection, examines traffic generated by\r\nValak and explores recent updates in obfuscation techniques used by the malware in order to evade detection. This\r\nblog also examines the Shathak/TA551 distribution system that has been consistently pushing Valak since April\r\n2020.\r\nPalo Alto Networks customers are protected from Valak by our Threat Prevention subscription for the Next-Generation Firewall.\r\nChain of Events\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 1 of 18\n\nFigure 1. Chain of events for recent Valak malware activity.\r\nFigure 1 shows the chain of events seen for Valak infections in June and early July 2020. For a Windows computer\r\nto become infected, a victim must:\r\nOpen malspam with password-protected ZIP attachment. On June 30 and July 1, 2020, we saw indications\r\nthere may also have been a link to download a ZIP archive instead of an attachment.\r\nExtract Microsoft Word document from the password-protected ZIP archive using a unique password from\r\nthe message text.\r\nOpen the Word document as shown below in Figure 2 and enable macros.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 2 of 18\n\nFigure 2. Example of a Microsoft Word document from June 24, 2020, with macros for Valak.\r\nFor Valak infections during June 2020, the initial activity consisted of:\r\nAn HTTP or HTTPS URL ending with .cab that returned a DLL to install Valak.\r\nValak DLL was saved to the C:\\ProgramData\\ directory using a random file name, usually with a .dat or\r\n.jpg file extension, as shown in Figure 3.\r\nValak DLL was run using regsvr32.exe -s [filename]\r\nPopup message stating the DLL was successfully run, as shown in Figure 4.\r\nA JavaScript configuration file appeared as a random file name (always the same name for each wave of\r\ninfections) under the C:\\Users\\Public\\ directory, as shown in Figures 5 and 6.\r\nInitial HTTP command and control (C2) traffic returned encoded ASCII text used to create additional\r\nmalware/artifacts for the infection.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 3 of 18\n\nFigure 3. Initial Valak DLL retrieved after enabling macros on the Word document from Figure 2.\r\nFigure 4. Pop-up message on a Windows 10 host when an initial Valak DLL was successfully run\r\nusing RegSvr32.exe after macros were enabled on June 24, 2020.\r\nFigure 5. Initial script file in C:\\Users\\Public\\ directory used during Valak infection from June 24,\r\n2020.\r\nFigure 6. Contents of the JavaScript configuration file from June 24, 2020.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 4 of 18\n\nFigure 6 reveals variable names are obfuscated in the JavaScript configuration file. This is an example of\r\nobfuscation that we have noted since June 2020, and it is covered in more detail later in this blog when discussing\r\nValak developments.\r\nAs the infection progressed, three things happened near-simultaneously to make Valak persistent on an infected\r\nWindows host:\r\nA Windows executable (EXE) appeared in the infected user's AppData\\Local\\Temp directory as a random\r\nfile name ending in .bin (PE32 executable, Mono/.Net assembly), as shown in Figure 7.\r\nWindows registry entries were created under the key for\r\nHKCU\\SOFTWARE\\ApplicationContainer\\Appsw64\r\nA randomly-named text file and JavaScript (JS) file both appeared under the C:\\Users\\Public\\ directory, as\r\nshown in Figures 8, 9 and 10.\r\nA scheduled task was created to run the JS file located under C:\\Users\\Public\\ and repeat running it every\r\nfour minutes, as shown in Figure 11.\r\nFigure 7. EXE file with a .bin file extension from the June 24, 2020, Valak infection.\r\nFigure 8. Additional artifacts in the C:\\Users\\Public\\ directory created during the infection.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 5 of 18\n\nFigure 9. Contents of the text file, a random string of text.\r\nFigure 10. Contents of the JS file used to keep the Valak infection persistent.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 6 of 18\n\nFigure 11. Scheduled task for JS file used to keep the Valak infection persistent.\r\nIf the C2 domains remained active during the infection, as early as four minutes later, we saw follow-up malware:\r\nValak C2 traffic returned encoded ASCII text used to create a follow-up malware EXE.\r\nThe follow-up malware EXE was appended to the randomly-named text file in C:\\Users\\Public using ADS,\r\nas shown in Figure 12.\r\nA scheduled task was created to run the follow-up malware EXE once, shortly after it was created, as\r\nshown in Figure 13.\r\nFigure 12. Text file in C:\\Users\\Public\\ directory updated with ADS.\r\nFigure 13. Scheduled task to run the follow-up malware.\r\nIn our tests, running Valak from a U.S. location on a vulnerable Windows 10 host returned a banking Trojan called\r\nIcedID as the follow-up malware. In one case, we saw both IcedID and NetSupport Manager RAT-based malware\r\ndelivered as follow-up malware on a Windows 7 host from June 2020.\r\nValak Infection Traffic\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 7 of 18\n\nThe infection starts when a victim enables macros on one of the malicious documents. This usually generates a\r\nURL ending with .cab that returns a Windows DLL file. Figure 14 shows a Valak infection from June 24, 2020,\r\nfiltered in Wireshark to list the HTTP requests and other web-based traffic. The first line shows a URL that ends\r\nwith .cab. A TCP stream of this activity is shown in Figure 15, and it reveals signs of an EXE or DLL file returned\r\nfrom the server.\r\nFigure 14. Traffic from a Valak infection with IcedID as the follow-up malware from June 2020\r\nfiltered in Wireshark.\r\nFigure 15. TCP stream for the HTTP GET request ending in .cab that returned a Windows DLL file.\r\nChecking the binary in VirusTotal shows this file is a DLL. This DLL is an installer for Valak. Shortly after the\r\ninitial HTTP traffic for the Valak DLL, we see other HTTP GET requests starting with:\r\nlicense.jsp?client=\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 8 of 18\n\narchive.jsp?page=\r\ndb.aspx?dfc=\r\nThe HTTP requests are Valak C2 traffic, which is sent to decoy domains (non-malicious domains from legitimate\r\norganizations) and malicious domains. These domains are listed in the initial Valak script previously shown in\r\nFigure 5. For example, for Valak infections from the June 24, 2020, wave, the decoy domains were:\r\ne87.dspb.akamaidege.net\r\ninsiderppe.cloudapp.net\r\npagead46.l.doubleclick.net\r\nAlso noted in Figure 5 are the malicious domains from the June 24, 2020, wave of Valak:\r\nthepicklepilot.com\r\njoonaskallinen.com\r\nxfitnessproducts.com\r\nFigure 5 also shows three additional domains from the June 24, 2020, wave of Valak. These domains appear to be\r\nfake or possibly placeholders because they were not registered and did not resolve to any IP address.\r\n59xidd-fuel.com\r\n19geds-space.com\r\n55sfors-cask.com\r\nValak C2 traffic returns data as encoded ASCII text that is decoded on the victim host and saved as malware items\r\nlike script files, EXE used during the infection and data for registry updates for the Valak infection. Figure 16\r\nshows an example of this traffic.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 9 of 18\n\nFigure 16. Valak C2 over HTTP traffic returning ASCII data used to create malware items on the\r\nvictim host.\r\nIn addition to HTTP GET requests, Valak uses HTTP POST requests to exfiltrate certain types of data. In Figures\r\n17 and 18, we see an HTTP POST request starting with class4.aspx?internalService= that sends login credentials\r\nused for Microsoft Outlook from an infected Windows host.\r\nFigure 17. Valak infection traffic filtered in Wireshark showing an HTTP POST request from the C2\r\ntraffic.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 10 of 18\n\nFigure 18. TCP stream of the HTTP POST request showing a base64 string containing Outlook\r\nlogin credentials of the infected host.\r\nWe primarily see IcedID as follow-up malware from the Valak infections generated from U.S. locations. Figure 19\r\nshows indicators of IcedID during the Valak infection traffic.\r\nFigure 19. Indicators of IcedID as the follow-up malware during this Valak infection.\r\nRecent Developments\r\nAs Valak has developed, we have noticed increased obfuscation in the Valak configuration script. This obfuscation\r\nfinds its way into other script and Windows registry updates used to keep the infection persistent. Figure 20 shows\r\nconfiguration script from June 23, 2020, using Valak software version 40. Figure 21 shows configuration script\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 11 of 18\n\nfrom June 24, 2020, using Valak software version 41. Note how variable names and some of the values were\r\nobfuscated when Valak changed from version 40 to version 41.\r\nFigure 20. Valak version 40 configuration script with variable names and values in plain text.\r\nFigure 21. Valak version 41 configuration script with variable names and some values using\r\nobfuscated text.\r\nLike most obfuscation, this is likely an attempt to evade detection. As the weeks and months progress, we predict\r\nfurther obfuscation in Valak’s configuration script and related files.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 12 of 18\n\nShathak/TA551 Distribution\r\nShathak or TA551 is the name some security researchers have given to a specific distribution method that uses\r\npassword-protected ZIP archives as attachments to malspam. The distribution network may be associated with\r\nRussian cybercriminals. It has used Word document templates targeting English-, Italian-, German- and Japanese-speaking recipients. Shathak/TA551 has been active at least as early as February 2019.\r\nShathak/TA551 distribution has the following characteristics:\r\nMalspam spoofs legitimate email chains based on mailbox data retrieved from previously-infected\r\nWindows hosts. It sends copies of these email chains to senders and recipients from the original email\r\nchain.\r\nThe spoofed email chain includes a short message as the most recent item in the chain. This item is a\r\ngeneric message that instructs recipients to open an attached ZIP archive using a supplied password.\r\nThe password-protected ZIP attachments contain a Microsoft Word document with macros to install\r\nmalware. See Appendix A for examples of these Word documents from June 2020.\r\nThe macros usually generate a URL ending in .cab to retrieve a binary that installs malware. This binary is\r\ncurrently a DLL file. Appendix B lists examples of URLs from this campaign.\r\nPrior to April 2020, the most common malware caused by Word documents associated with Shathak/TA551\r\nwas Ursnif.\r\nSince April 2020, the most common malware distributed by these Word documents has been Valak.\r\nAppendix C lists a series of Valak DLL examples from June 2020.\r\nSince May 2020, passwords used for the ZIP attachments appear to be unique to each recipient.\r\nTo get an idea of traffic patterns associated with Shathak/TA551, recent examples of URLs generated by the\r\nassociated Word macros follow (Read: Date - URL).\r\n2020-05-26 - hxxp://c1j4xptyujjpyt8[.]com/gg88wyaftcxr7gu/wo0zz.php?l=sfzs9.cab\r\n2020-05-27 - hxxp://ft23fpcu5yabw2[.]com/alfh/xzrn.php?l=lfahe9.cab\r\n2020-06-03 - hxxp://awh93dhkylps5ulnq-be[.]com/czwih/fxla.php?l=gap1.cab\r\n2020-06-09 - hxxp://a4zy33hbmhxx70w9q[.]com/hdil/kzex.php?l=soub12.cab\r\n2020-06-10 - hxxp://kzex9vp0jfw6a8up1[.]com/hdil/kzex.php?l=phin1.cab\r\n2020-06-22 - hxxp://5u2mr[.]com/unbbmevd/d76.php?l=oev1.cab\r\n2020-06-23 - hxxp://fepz41[.]com/unbbmevd/d76.php?l=ynetz11.cab\r\n2020-06-24 - hxxp://mbzrrt[.]com/unbbmevd/d76.php?l=ftywl4.cab\r\n2020-06-26 - hxxp://ofxvp[.]com/unbbmevd/d76.php?l=wozmbl9.cab\r\n2020-07-06 - hxxp://eto9ve1[.]com/iz5/yaca.php?l=tze7.cab\r\nAs noted previously, Appendix B provides more examples of these URLs generated by Word macros associated\r\nwith Shathak/TA551.\r\nFigures 22-30 provide screenshots with selected examples of malspam and the extracted Word documents\r\nassociated with Shathak/TA551. These images illustrate how the Shathak/TA551 distribution has evolved since\r\nFebruary 2019.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 13 of 18\n\nFigure 22. Shathak/TA551 malspam to an English-speaking recipient from February 4, 2019.\r\nFigure 23. Shathak/TA551 malspam to an Italian-speaking recipient from April 2, 2019.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 14 of 18\n\nFigure 24. Shathak/TA551 malspam to an English-speaking recipient from July 22, 2019.\r\nFigure 25. Shathak/TA551 malspam to a German-speaking recipient from October 30, 2019.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 15 of 18\n\nFigure 26. Shathak/TA551 malspam to a Japanese-speaking recipient from December 17, 2019.\r\nFigure 27. Shathak/TA551 malspam to a German-speaking recipient from March 26, 2020.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 16 of 18\n\nFigure 28. Shathak/TA551 malspam to an English-speaking recipient from April 28, 2020.\r\nFigure 29. Shathak/TA551 malspam to an English-speaking recipient from May 22, 2020.\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 17 of 18\n\nFigure 30. Shathak/TA551 malspam to a German-speaking recipient from May 26, 2020.\r\nThis distribution network has generally pushed Ursnif in previous years, but since late April 2020, we’ve most\r\noften seen Valak from Shathak/TA551. In some cases, we still see Ursnif from this distribution, which recently\r\nhappened on June 10, 2020, and July 7, 2020.\r\nSource: https://unit42.paloaltonetworks.com/valak-evolution/\r\nhttps://unit42.paloaltonetworks.com/valak-evolution/\r\nPage 18 of 18\n\nAs Valak has developed, finds its way into other we have noticed script and Windows increased registry obfuscation updates used in the Valak configuration to keep the infection script. persistent. This obfuscation Figure 20 shows\nconfiguration script from June 23, 2020, using Valak software version 40. Figure 21 shows configuration script\n Page 11 of 18 \n\n https://unit42.paloaltonetworks.com/valak-evolution/ \nFigure 24. Shathak/TA551 malspam to an English-speaking recipient from July 22, 2019.\nFigure 25. Shathak/TA551 malspam to a German-speaking recipient from October 30, 2019.\n Page 15 of 18 \n\n https://unit42.paloaltonetworks.com/valak-evolution/ \nFigure 28. Shathak/TA551 malspam to an English-speaking recipient from April 28, 2020.\nFigure 29. Shathak/TA551 malspam to an English-speaking recipient from May 22, 2020.\n Page 17 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/valak-evolution/" ], "report_names": [ "valak-evolution" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434520, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56d62eab588cb53bd6acb7d97848dbe3a7a5b570.pdf", "text": "https://archive.orkl.eu/56d62eab588cb53bd6acb7d97848dbe3a7a5b570.txt", "img": "https://archive.orkl.eu/56d62eab588cb53bd6acb7d97848dbe3a7a5b570.jpg" } }