{
	"id": "8517d979-0ffe-4e22-9410-44a368c84036",
	"created_at": "2026-04-06T00:07:48.212558Z",
	"updated_at": "2026-04-10T03:21:16.920716Z",
	"deleted_at": null,
	"sha1_hash": "c75625e8fcbcd7999caece8437c8df6c8bfdf8b9",
	"title": "Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1251584,
	"plain_text": "Threat Spotlight: Valak Slithers Its Way Into Manufacturing and\r\nTransportation Networks\r\nBy Edmund Brumaghin\r\nPublished: 2020-07-01 · Archived: 2026-04-05 19:17:27 UTC\r\nWednesday, July 1, 2020 11:02\r\nBy Nick Biasini, Edmund Brumaghin and Mariano Graziano.\r\nThreat summary\r\nAttackers are actively distributing the Valak malware family around the globe, with enterprises, in\r\nparticular, being targeted.\r\nThese campaigns make use of existing email threads from compromised accounts to greatly increase\r\nsuccess.\r\nThe additional use of password-protected ZIP files can create a blind spot in security protections.\r\nThe overwhelming majority of campaigns occurred over the last couple of months and targeted\r\norganizations in the financial, manufacturing, health care and insurance verticals.\r\nExecutive summary\r\nValak is a modular information-stealer that attackers have deployed to various\r\ncountries since early-to-mid 2019. While Valak features a robust feature set, it is\r\noften observed alongside secondary malware payloads, including Gozi/Ursnif and\r\nIcedID. This malware is typically delivered via malicious spam email campaigns\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 1 of 19\n\nthat leverage password-protected ZIP archives to evade detection by email security\r\nsolutions that may inspect the contents of emails entering corporate networks.\r\nWhile previous analysis focused on campaigns targeting the United States and\r\nGermany, Cisco Talos has observed ongoing campaigns targeting other geographic\r\nregions including countries in North America, South America, Europe and likely\r\nothers. The email campaigns distributing downloaders associated with Valak also\r\nappear to be leveraging existing email threads to lend credibility to the emails and\r\nincrease the likelihood that victims will open file attachments and initiate the\r\nValak infection process.\r\nWhat's new?\r\nValak is a relatively new stealer that has greatly increased its distribution over the last several\r\nmonths. By using stolen email threads and password-protected ZIP files, Valak has enjoyed\r\nsuccess compromising enterprises. Research shows that organizations are targeted repeatedly by\r\nValak in hopes of monetary gain.\r\nHow did it work?\r\nValak is spread through malspam campaigns. What makes this threat unique is its repeated use of\r\nstolen email threads. By replying to existing conversations with their targets, the actors behind\r\nValak greatly increased their success rate. Finally, the email attachments are password-protected,\r\npreventing content analysis and inspection prior to reaching a user's desktop.\r\nSo what?\r\nThe campaigns we analyzed have targeted major organizations in verticals such as energy, health\r\ncare, finance, manufacturing and insurance. These targets need to be aware that existing email\r\nthreads are being hijacked with success and organizations will need to decide how to address\r\nemails with password-protected attachments, if they accept them at all. As we continue to get\r\nbetter at detecting and blocking spam messages adversaries will continue to move to novel\r\napproaches, like email thread hijacking.\r\nMalspam campaigns\r\nIn most of the email campaigns observed, the emails consist of a reply message\r\nwithin an existing email thread. In some cases, the previous messages in the email\r\nthreads were several years old. The emails reference an attached ZIP archive and\r\nprovide a password that can be used to extract the contents of the archive.\r\nIn our analysis, we've identified a couple of patterns to highlight. One of the most important findings is how this\r\ngroup appears to be targeting its victims. During our research, we found Valak targeting financial, manufacturing,\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 2 of 19\n\ninsurance and transportation organizations. This included multiple attempts to deliver malspam from different\r\nsources. Please note that due to the use of stolen email threads, the emails are heavily redacted to protect the\r\nprivacy of all parties involved.\r\nFinancials targeted\r\nIn this example, we will walk through emails observed over the course of a week directed at a\r\nsingle financial institution. The modus operandi for this group is to use stolen/hijacked email\r\nthreads to send reply emails to target organizations. Below is the first example we saw directed at\r\nthe financial institution in question.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 3 of 19\n\nThis email arrived early in the morning and was a response to an email from a couple of months earlier, in late\r\nFebruary. Note the basic body, with a password-protected ZIP file. As is also common with these attacks, email\r\nsignatures are also present. A few hours later, several other emails arrived — all from the same compromised\r\nemail account. Each of these emails is addressed to a single unique recipient. This is something else we commonly\r\nsaw — if there was an email thread with many participants, the actors chose to send a single email message to\r\neach user instead of replying to all or sending a single email to multiple targets.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 4 of 19\n\nThe second email is similar to the first with one notable exception. This is a response from an email sent more\r\nthan two years ago, in late March 2018. This was the first indicator that these actors are hunting through the email\r\naccounts they have compromised looking for ways to effectively target potential victims. Throughout the day, the\r\nemails would continue from this one email account.\r\nThe third email received was associated with an email thread from December 2017, but again is a response to an\r\nexisting email thread that this particular email account had with the target.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 5 of 19\n\nThis final email from this account was a reply dating back to March 2018. The compromised account in question\r\nwas associated with a real estate company, so the emails ranged from information about properties and financing\r\nto showings and general friendly emails between associates. This highlights why these campaigns can have a high\r\nsuccess rate: They are sent from existing email threads between colleagues or acquaintances. This simple change\r\nwill greatly increase the likelihood of success. This combined with password-protected ZIP files can defeat a lot of\r\nemail security and increase the likelihood of the email hitting the target's inbox.\r\nHowever, this particular email account was not the only one attempting to compromise this bank. We found\r\nseveral other examples that were received later that same day. This second batch of requests shows a group that\r\nisn't looking for the best quality email threads to reply to.\r\nIn the case above, the adversaries hijacked an automated email sent by LinkedIn after two users connect. Where\r\nthe previous examples were tied to more robust email threads, this is an example of a less sophisticated attempt to\r\ncompromise the same financial institution.\r\nIn this next example, on that same date, another email account was used to try and lure the victim to infect\r\nthemselves with Valak. This particular thread was personal and associated with raffle prize winnings, again not\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 6 of 19\n\nnecessarily the most effective avenue of attack, but these actors are opportunistic and appear to be willing to try\r\nmultiple lures against a target organization, regardless of the sophistication or relevance to the intended recipient.\r\nThese actors were not done trying to compromise this particular organization. Later in the week, we observed\r\nanother attempt, this time originating from the account of an IT consultant.\r\nThis final example was in reference to an ongoing IT project the consultant was involved in, as you can imagine\r\nthis could be an increasingly effective lure.\r\nOver the course of our investigation, we found 14 unique emails sent over a period of 10 days. These emails were\r\nassociated with eight different compromised email accounts and addressed a wide variety of topics, again\r\nreiterating the actors' use of all emails they can find associated with a specific target, in this case, a financial\r\ninstitution.\r\nInsurer targeted\r\nFinancial institutions weren't the only organizations we observed being targeted by Valak\r\ncampaigns. We also observed large insurance companies being targeted as well. In this example,\r\nan insurer was targeted using a variety of different avenues. These included responses to affidavit\r\nemail threads from compromised email accounts at law firms, as shown below.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 7 of 19\n\nThis is a response to an email that was generated by a state court system. By abusing a lawyer's email account, the\r\nattackers are again increasing the likelihood of success as lawyers will commonly send documents to clients, co-workers, and other colleagues.\r\nOther examples of lures sent to the insurer include personal threads related to religious activities around the\r\nholidays and even individual users emailing about their respective policies with their insurance agents, an example\r\nof which is shown below. In the case of the insurer, we found more than 20 emails sent over a period of several\r\nweeks from eight different email accounts. This again reinforces how organizations are being targeted by these\r\nValak campaigns.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 8 of 19\n\nThese are just a handful of the email messages that we saw being abused by these actors. One thing to note about\r\nthe law firm mentioned above is that during our research we found that several of the email accounts at that firm\r\nwere being used to target a variety of organizations, including other law firms. This does indicate that at least\r\nsome of these emails may be associated with larger longer-term compromises.\r\nPassword protected attachment usage\r\nOne commonality to all the observed Valak campaigns is the use of password-protected\r\nattachments. There is an obvious tradeoff for the adversary in using these methods. By password\r\nprotecting the ZIP file they will bypass a lot of detection technologies, but it may also decrease\r\neffectiveness. During our investigation we were able to find examples of these malspam messages\r\nbeing forwarded around an organization and, in some cases to internal IT support personnel, to\r\ntry and determine how to extract the contents. This really illustrates two points. The first is that it\r\nwas able to bypass what email security, if any, was present at the enterprises in question.\r\nAdditionally, it shows that not all users are savvy enough to open password-protected attachments\r\nand it may limit users, who would otherwise be susceptible to this attack, from being able to infect\r\nthemselves.\r\nDuring the investigation, we observed that the same passwords were often leveraged across multiple targets and\r\nmalspam campaigns and did not appear to be specific to any individual organization.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 9 of 19\n\nLanguages targeted\r\nIn the examples to this point, we focused on the English-language campaigns we uncovered.\r\nHowever, English was not the only language we found attackers leveraging. We also identified\r\nseveral other campaigns, including campaigns in German, like one targeting a transportation\r\norganization. An email associated with this German campaign is shown below.\r\nOne interesting note related to the campaign in German, many of the threads they were leveraging were in\r\nEnglish, but the malicious reply message was always in German, something that would likely stand out to\r\npotential victims.\r\nIn addition to German campaigns, we also found some targeting email threads in Spanish. In this case, the threads\r\nwere in Spanish, but the malspam responses were in English, an example of which you can find below. Please note\r\nthat I have left the salutations in the emails to denote the use of Spanish, as the majority of the text needs to be\r\nredacted.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 10 of 19\n\nEvidence of consumer targeting\r\nWhile the majority of the emails we have observed distributing Valak are tied to enterprises, they\r\nare not the only targets. During our investigation, we found examples of attempts being made\r\nagainst personal email accounts, and in some cases, the adversaries made some poor choices as to\r\nwhich emails to respond to. This shows a divergent approach from what we saw in some of the\r\nmore targeted emails, including accurate signature blocks and replying to relevant threads.\r\nAs an example of one of these failures, we show here the actors responding to what is obviously dating spam,\r\ntrying to entice the user to send an email to a third email account for further compromise. The Valak distributors\r\nstill tried to respond as if it were a legitimate email, showing that the automation they are using has its faults.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 11 of 19\n\nIn another email mistake, the actors actually responded to what is clearly pharmaceutical spam and is not even a\r\nremotely legitimate email thread.\r\nThere were a handful of other obvious spam messages that these actors replied to, during these campaigns. It is\r\nworth noting that these messages make up a much smaller percentage than those we saw targeting larger\r\nenterprises.\r\nHowever, it does point to two separate campaigns that may be ongoing. One that is targeting specific\r\norganizations with an array of email messages from multiple different accounts and another that appears to be\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 12 of 19\n\nresponding to a wide array of emails directed at end-users, without much consideration for what thread the reply\r\noriginated from.\r\nInitial infection process\r\nAs previously mentioned, the emails associated with these distribution campaigns\r\nfeature the use of password-protected ZIP archives. By encrypting the contents of\r\nthe email attachments, the attackers can ensure that content inspection and\r\ndetection capabilities are unable to properly evaluate them. This also allows them\r\nto evade some automated analysis environments like sandboxes, as user interaction\r\nis required to decrypt the ZIP archives.\r\nMicrosoft Word documents inside these ZIP archives are used to initiate the Valak infection. Most of the\r\ndocuments analyzed feature the use of similar decoy images as the document in the example below, however, they\r\nwere localized with different language sets being used to display a message to potential victims, instructing them\r\nto enable macros.\r\nWhen enabled, the embedded VBA macros function as a downloader and handle retrieving and executing the DLL\r\nassociated with Valak.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 13 of 19\n\nThe URL used to retrieve the malicious DLL has been obfuscated.\r\nThe previous series of arrays contain the URL hosting the malicious DLL as well as the local storage location\r\nwhere the DLL will be stored:\r\nThe DLL is then retrieved from an attacker-controlled web server using UrlDownloadToFileA.\r\nThe DLL is then registered using regsvr32.exe, which initiates the Valak infection process. The infection process\r\nhas been covered extensively here and here. Valak is a continuously evolving, modular malware family that\r\nfeatures robust capabilities and is successful at infecting systems across the various geographic regions targeted by\r\nthese attackers. Over the past few weeks, Cisco Talos observed multiple changes to the way in which Valak is\r\nretrieved, as well as an increase in the level of obfuscation in the configuration file used by the malware's later\r\nstages. Recently, it appears that Valak is also leveraging compromised CMS servers to distribute the initial Valak\r\nDLL, an example of which is below:\r\nhttp://digifish3[.]com/blog/wp-content/themes/busify/_eWTFIH4ngoi2PJUl.php?x=MDAwMSBskYeC02Ql3VG8Ae9TVFHu6uY34q\r\nAs previous analysis focused on the infection process itself, we will focus on analyzing the characteristics\r\nassociated with the distribution and C2 infrastructure associated with this threat.\r\nCampaign analysis\r\nSpam volume and victimology\r\nTalos was able to track the campaigns back to early 2020, with a couple of samples from early in\r\nthe year. However, the activity really appeared to explode over the last several months. As you can\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 14 of 19\n\nsee below the activity in May and early June accounted for more 95% of the overall Valak\r\nactivity.\r\nThe Valak campaigns aren't marked with huge amounts of emails but given that they are curating the emails they\r\nare sending from existing email threads, it makes logical sense. This use of stolen email threads and password-protected ZIPs has been successful for the group delivering Valak, so the likelihood of imposters is relatively high.\r\nValak distribution servers\r\nDuring the analysis of Valak distribution infrastructure, we observed DNS updates being made\r\nfrequently as new campaigns were launched by attackers. To track the movement of malicious\r\ndomains across the attacker infrastructure, Passive DNS data was used to track the servers being\r\nused to deliver the initial Valak DLL to victims.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 15 of 19\n\nWe discovered that a large portion of the infrastructure used to deliver the initial DLL was hosted across a\r\nrelatively small number of hosting providers with servers primarily located in Russia and Ukraine.\r\nValak C2 servers\r\nIn addition to the infrastructure being used for the initial distribution of the DLL associated with\r\nValak, infected systems also communicate with C2 servers to transfer information and attempt to\r\nobtain additional modules and instructions to perform. In analyzing the C2 infrastructure\r\nassociated with various Valak campaigns, we observed the same infrastructure associated with a\r\nmyriad of other malicious activities. Additionally, in multiple instances, passive DNS telemetry\r\nindicates that some of the systems used for C2 may have also been leveraged as part of the\r\nMyKings and Dark Cloud botnets, however, this may be coincidental and not intentional on the\r\npart of the attackers.\r\nWhile the majority of the servers used to distribute the initial Valak DLL files were hosted in a relatively small\r\nnumber of different geographic regions, the C2 servers used to administer the botnet were spread out across a\r\nlarger number of regions. Many of the servers were hosted in the United States. Below is a high-level overview of\r\nthe geographic region of the servers used for C2.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 16 of 19\n\nThe campaigns associated with Valak appear to be relatively successful, likely because of perimeter security\r\ncontrols being unable to scan the initial attachments being sent to potential victims. Below is a graph showing the\r\nDNS activity from systems likely infected with Valak attempting to communicate with one of the Valak C2\r\nservers. As soon as the distribution campaigns that leveraged this domain became active, infected systems\r\nimmediately began beaconing. Due to the way that C2 has been implemented, infected systems are continuously\r\nestablishing connections to malicious infrastructure, creating a consistent amount of DNS-related traffic.\r\nConclusion\r\nIn a world where malspam is constantly being created and sent, the goal is to get to\r\ninboxes. We as an industry are always getting better at detecting malspam and\r\nadversaries are always going to be looking for ways to move ahead. We've seen\r\nwith Emotet before and now with Valak that stolen email is an effective way to\r\nincrease not only the likelihood of getting to a user's inbox but the user is going to\r\nbe receptive of the malspam.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 17 of 19\n\nOnce you combine that with the use of password-protected ZIP files, the effect can be quite successful. As we've\r\nshown throughout this blog these Valak campaigns have proceeded and the resulting command and control traffic\r\nindicates, it's been productive. This puts organizations in a tough position. The use of stolen email threads means\r\nthat the emails are unlikely to be blocked based on content and the use of password-protected ZIPs, prevents most\r\nscanning. Organizations need to make a decision on whether or not they want to allow password-protected files to\r\nbe sent via email. Depending on the vertical and the organization, this may or may not be a valid option for\r\nmitigation.\r\nBy allowing password-protected files to be sent via email, endpoint security largely becomes the final bastion\r\nbefore a compromise occurs. This key technology is only getting more important as encryption on the wire and\r\nsophisticated evasion become standard. Enterprises need to also be adjusting hunting activities to look at what\r\nappears to be legitimate email threads and potentially isolating all unscannable files received via email or through\r\nother means.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click here.\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 18 of 19\n\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, and Meraki MX.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. The following SIDs have been released to detect this threat: 54401-54404.\r\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise have been observed as being associated\r\nwith Valak.\r\nHashes A list of file hashes (SHA256) that have been observed as being associated with Valak can\r\nbe found here.\r\nDomains A list of domains that have been observed as being associated with Valak can be found\r\nhere.\r\nIP Addresses A list of IP addresses that have been observed as being associated with Valak can be\r\nfound here.\r\nSource: https://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nhttps://blog.talosintelligence.com/2020/07/valak-emerges.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/07/valak-emerges.html"
	],
	"report_names": [
		"valak-emerges.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434068,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c75625e8fcbcd7999caece8437c8df6c8bfdf8b9.pdf",
		"text": "https://archive.orkl.eu/c75625e8fcbcd7999caece8437c8df6c8bfdf8b9.txt",
		"img": "https://archive.orkl.eu/c75625e8fcbcd7999caece8437c8df6c8bfdf8b9.jpg"
	}
}