{
	"id": "119d3dd6-8b1e-4472-8d08-d45c1880f455",
	"created_at": "2026-04-06T00:12:55.244622Z",
	"updated_at": "2026-04-10T03:21:10.262292Z",
	"deleted_at": null,
	"sha1_hash": "aa65b48dcb7c7fa36b346fcd9af8161332dbee5e",
	"title": "Valak Malware and the Connection to Gozi Loader ConfCrew - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3526551,
	"plain_text": "Valak Malware and the Connection to Gozi Loader ConfCrew -\r\nSentinelLabs\r\nBy Jason Reaves\r\nPublished: 2020-06-09 · Archived: 2026-04-05 17:29:49 UTC\r\nValak uses a multi-stage, script-based malware that hijacks email replies and embeds malicious URLs or\r\nattachments to infect devices with fileless scripts.\r\nBy Jason Reaves and Joshua Platt\r\nExecutive Summary\r\nValak uses multi-stage, script-based malware utilized in campaigns reminiscent of Gozi ConfCrew.\r\nThe overlapping campaign structure has led to some sandbox reports misidentifying Valak as Gozi.\r\nEmails are harvested and used in ‘Reply Chain Attacks’ to further spread the malware with a purpose-built\r\nplugin, ‘exchgrabber’.\r\nA newly-discovered plugin called ‘clientgrabber’ is also utilized for stealing email credentials from the\r\nregistry.\r\nSee the full report for more technicals details on Varak.\r\nRead the Full Report\r\nBackground\r\nGozi has been around in various forms for over a decade now. Certain variants are operated by more sophisticated\r\nactors, typically choosing to operate the trojan privately with partners or as a more functional rented service\r\nmodel. One variant in particular, which used the key 10291029JSJUYNHG, is noticeable due to their unique\r\n‘Reply’ chain or thread hijack spamming. At times this key has been confused with dreambot but is in fact\r\noperated separately. The two primary functions of the service are loading and spamming.\r\nWhile this Gozi service has operated continuously for several years, in mid-October 2019, Valak began to appear\r\nin testing mode. The new JavaScript-based system also involved compromised servers with link-based email\r\ncampaigns, which was a departure from the typical password protected attachment approach.\r\nResearch Insight\r\nDelivery – ConfCrew Delivery System\r\nA recent Valak delivery chain utilized document files that contact PHP delivery proxies in order to pull down and\r\nexecute the initial DLL payload. This system was commonly utilized by the Gozi crew for campaigns previously\r\nand is actually frequently labeled as Gozi traffic due to the similar URL structure.\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 1 of 11\n\nFor example:\r\n5184b70eef0d99c77e3e56f7e7b67727e515364e\r\ndownloads:\r\n80af349e1d41195576eeb7badc26d9b7873bdfbc\r\nvia the following URL:\r\nhxxp://a8xui1akl9gjqucfa[.]com/vv55v37kts7et/idq9p9t142vyk.php?l=frraw2.cab\r\nThis is the Valak DLL loader when unpacked; however, looking at IOC and sandbox reports it is easy to see that\r\nthis switch up of malware is already causing confusion and is being labeled Gozi in some reports.\r\nDelivery – Compromised Websites\r\nAnother delivery avenue for retrieving the malicious document, which will then contact compromised websites to\r\nretrieve the initial DLL loader for detonation, involves links in emails[5]. These links have similar random looking\r\nPHP names on compromised websites that will return a document instead of a DLL. The campaign server can be\r\nutilized for both the documents and the DLLs and you can find campaigns performing both.\r\nCompromised PHP Script\r\nThe request structure for recent Valak deliveries is listed below.\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 2 of 11\n\n/_3ZyKva_O9zPO1K_k.php?x=MDAwMCCz9oR8W_gfwzPN6OQPNnku8FfF-ORh5orr1PzC0Avh3LkS4cvcHcQm38Efx3sZMnArLlPq\r\nThis seemingly random looking data has some striking resemblance to base64, but we will need the PHP in order\r\nto be able to cleanly decode it.\r\nThe script takes the URL parameters and ultimately decrypts the contact URL out with an embedded key. First, the\r\nbase64 encoded data can be cleaned up and initially decoded such as the following:\r\n\u003e\u003e\u003e a = 'MDAwMCCz9oR8W_gfwzPN6OQPNnku8FfF-ORh5orr1PzC0Avh3LkS4cvcHcQm38Efx3sZMnArLlPqOq5dmdcTOCewa771\r\n\u003e\u003e\u003e a = a.replace('-', '+')\r\n\u003e\u003e\u003e a = a.replace('_', '/')\r\n\u003e\u003e\u003e a = a.replace('~', '=')\r\n\u003e\u003e\u003e a\r\n'MDAwMCCz9oR8W/gfwzPN6OQPNnku8FfF+ORh5orr1PzC0Avh3LkS4cvcHcQm38Efx3sZMnArLlPqOq5dmdcTOCewa7719Cc84VKg\r\n\u003e\u003e\u003e b = base64.b64decode(a)\r\n\u003e\u003e\u003e a\r\n'MDAwMCCz9oR8W/gfwzPN6OQPNnku8FfF+ORh5orr1PzC0Avh3LkS4cvcHcQm38Efx3sZMnArLlPqOq5dmdcTOCewa7719Cc84VKg\r\n\u003e\u003e\u003e b\r\n'0000 xb3xf6x84|[xf8x1fxc33xcdxe8xe4x0f6y.xf0Wxc5xf8xe4axe6x8axebxd4xfcxc2xd0x0bxe1xdcxb9x12xe1xcbxdc\r\nThe segment variable from the PHP script is then 0 and the compression flag for this instance is a space; if it were\r\ncompressed it would be ‘z’.\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 3 of 11\n\nThe rest of the URL is decoded using an onboard key; however, the key data is very large and the segment value\r\nwe decoded earlier is actually an index multiplier into this giant key.\r\nKnowing this and armed with the key we can now decode out the contact URL.\r\n\u003e\u003e\u003e test = bytearray(b[5:])\r\n\u003e\u003e\u003e key = bytearray(base64.b64decode('24LwDGHXMPQL49nWNhhLHsh5/czLDIfjh/mfqrVoirnLP4Wur3bpUraseuoZeEB\r\n\u003e\u003e\u003e for i in range(len(test)):\r\n... test[i] ^= key[i]\r\n...\r\n\u003e\u003e\u003e test\r\nbytearray(b'http://78.129.208.84/mail-checker-desk-time-bar-links/misc/tinystats/index.php?SRR_DHIqwA\r\nAfter performing the decryption, we have the real download URL. The campaign files retrieved with this PHP\r\nscript, such as Office documents and the DLL loaders, are not stored in the PHP files directly but are the result of\r\npre-generated campaign URLs passed to the proxy script in order to retrieve them upon execution.\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 4 of 11\n\nTo summarize the process, the proxy script utilizes an embedded key to decrypt the URL and retrieve the contents.\r\nThe similar-looking encoded string passed to the index.php file as a parameter is likely an encoded message\r\ncontaining campaign specific data. If we continue to look at the functionality of this PHP file, we can surmise it is\r\nused to track statistics along with the delivery of the campaign files.\r\nServing up campaign files from the backend:\r\nStats Panel\r\nUpon further analysis, a stats panel was uncovered confirming our hypothesis. Each campaign is carefully tracked.\r\nIn the image below, the hits are displayed for each file along with the operator and filename. This is typical for a\r\nload service, which would require statistics in order to charge customers accurately.\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 5 of 11\n\nThe panel also displays tracking for each of the links from their campaigns, offering possible insight into the\r\nnumber of success executions per campaign.\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 6 of 11\n\nValak\r\nOther researchers have already written extensively on Valak[6], so we decided to focus on the aspects that we feel\r\nshow more of a connection between the Gozi ConfCrew and Valak. These primarily revolve around the use of new\r\nplugins. When Valak was in testing in 2019, a number of different plugins were seen[3]. However, two new ones\r\nof particular interest relate specifically to the harvesting of email credential data. One of these, the exchange\r\ngrabber, was also mentioned previously[6].\r\nThe harvesting of email credentials falls in line with a previous tactic used by the Gozi crew, where they would\r\nharvest emails from accounts and then use the email chains in their spam campaigns[4][8] for a ‘Reply Chain\r\nAttack’. This attack revolves around hijacking existing, legitimate emails that are then ‘replied to’ and spammed\r\nout. This technique is a way to catch users off-guard as they are normally trained to spot fake emails but will let\r\ntheir guard down when they see that the email is a reply, particularly if it appears to be part of a conversation\r\nbetween known or trusted recipients. Reply Chain Attacks also mean the actors do not have to invest in creating\r\nlegitimate-looking email templates because they are able to leverage genuine email correspondence chains.\r\nExchange Data Plugin – EXCHGRABBER\r\nIf you are going to leverage reply chain attacks for your spamming campaigns, then you obviously need some\r\nemail data. It’s interesting to see that when campaigns shifted more towards Valak and away from Gozi, the\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 7 of 11\n\naddition of a plugin surrounding the theft of exchange data showed up.\r\nThe plugin names itself in its config section as an ‘exchgrabber’ or exchange grabber. The name suits the\r\nfunctionality in the .NET compiled plugin as it will enumerate credentials from the Credential Manager looking\r\nfor one associated with Office. Then, using the data from autodiscover.xml, it will build the harvested data into a\r\nreport.\r\nAfter retrieving the data it will exfiltrate it to the C2:\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 8 of 11\n\nEmail Credential Plugin – CLIENTGRABBER\r\nThe recent shift of focus to email theft and enterprise targeting is interesting. While conducting this research, we\r\nalso discovered a new plugin called ‘clientgrabber’, which is primarily utilized for stealing email credentials from\r\nthe registry.\r\nThe registry locations are recursively searched for the ‘keys’.\r\nOnce found, it will check that the value is using the newer method of encryption and contains the actual encrypted\r\npassword data, which can be decrypted[7].\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 9 of 11\n\nIndicators of Compromise\r\nEndpoint\r\n%temp%[a-f0-9]{12}.bin\r\nScheduled task 'PerfWatson_[a-f0-9]+'\r\nADS executable and script files:\r\nHKCUSoftwareApplicationContainerAppsw64ShimV4\r\nHKCUSoftwareApplicationContainerAppsw64SetupServiceKey\r\nNetwork\r\nBase64 encoded PE files transferred over the wire\r\nSamples\r\n435ec42fefc05eba0a8005256c815979877d430a\r\n693e681e7be554e50e4ff9bf7cbfe5aeab3fe91f\r\ne22b404e1fec743f0795cdea8a95337660878860\r\ndba1337a0a8293b721642b8b45a86352bcdfd04f\r\n4d33425d7031284cf5ee323dc616d9f84987dc0d\r\n17b74a4c3f43c21504b355b1ffc333280ef4cd74\r\n7f58d22d9e95f65170acadd05e324ec2d8ef13f6\r\n9be234bf2268f4e055ea59cf7bef76781a36c35c\r\n19f481063ca956688824e3cc022b8eedb6dd0bea\r\n4ae3ed6c1ab2fe41daf6f650a54dae63684d2064\r\n30fd553dedfadc81522adf37e11dfc4039d4ea31\r\nReferences\r\n1: https://twitter.com/vk_intel/status/1207917643291910144\r\n2: https://en.wikipedia.org/wiki/ROT13\r\n3: http://prsecurity.org/2019-valak-c2.html\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 10 of 11\n\n4: https://www.zdnet.com/article/this-phishing-trick-steals-your-email-and-then-fools-your-friends-into-downloading-malware/\r\n5: https://app.any.run/tasks/8e5b6f19-c3e5-4c87-87ac-8c8e012cbb5f/\r\n6: https://www-cybereason-com.cdn.ampproject.org/c/s/www.cybereason.com/blog/valak-more-than-meets-the-eye\r\n7: https://securityxploded.com/outlookpasswordsecrets.php\r\n8: https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/\r\nRead the Full Report\r\nSee the research report for more technicals details on Varak.\r\nRead the Full Report\r\nSource: https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nhttps://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/"
	],
	"report_names": [
		"valak-malware-and-the-connection-to-gozi-loader-confcrew"
	],
	"threat_actors": [],
	"ts_created_at": 1775434375,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa65b48dcb7c7fa36b346fcd9af8161332dbee5e.pdf",
		"text": "https://archive.orkl.eu/aa65b48dcb7c7fa36b346fcd9af8161332dbee5e.txt",
		"img": "https://archive.orkl.eu/aa65b48dcb7c7fa36b346fcd9af8161332dbee5e.jpg"
	}
}