Cybercriminals have discovered a clever way to slip malware onto job seekers’ computers by disguising malicious files as legitimate recruitment documents.
A new campaign called ValleyRAT targets people actively searching for employment through email messages containing fake job offers and company materials.
The attack spreads through compressed archive files with names designed to seem professional, such as “Overview_of_Work_Expectations.zip” or “Candidate_Skills_Assessment_Test.rar.”
When unsuspecting job applicants open these files, they unknowingly invite a dangerous remote access trojan onto their systems.
The campaign’s main trick involves exploiting the popular Foxit PDF Reader. Inside each malicious archive is a disguised executable file that appears to be the real Foxit application, complete with the program’s recognizable icon.
.webp "Threat Actors Leveraging Foxit PDF Reader to Gain System Control and Steal Sensitive Data 2")
Users see the familiar PDF symbol and assume they are opening a simple document, unaware that the file actually contains hidden malware designed to take control of their computers.
Beyond the initial deceit, cybercriminals employ a technical method called DLL side-loading to activate the malicious payload without raising alarms.
Trend Micro security researchers identified this sophisticated campaign after observing a significant spike in ValleyRAT detections during late October.
The malware’s success stems from combining multiple attack techniques that work seamlessly together.
.webp "Threat Actors Leveraging Foxit PDF Reader to Gain System Control and Steal Sensitive Data 4")
Social engineering lures prey on the emotional stress of job hunting, making targets less cautious about what they download.
Fake folder structures and hidden directories add layers of confusion, helping the malware evade detection.
Once activated, the malware silently runs in the background while the user views a convincing job posting on the screen.
Understanding the Infection Chain
The infection process unfolds through a carefully orchestrated sequence. When a user clicks the renamed Foxit executable, a malicious library (msimg32.dll) is automatically loaded via Windows’ file search mechanism.
.webp "Threat Actors Leveraging Foxit PDF Reader to Gain System Control and Steal Sensitive Data 5")
This triggers a batch script that extracts a hidden Python environment stored within seemingly innocent document files. The Python interpreter then downloads and executes a malicious script containing shellcode, which ultimately deploys the full ValleyRAT trojan.
The malware establishes persistence by creating registry entries that ensure it survives system restarts.
Once installed, ValleyRAT gives attackers complete control over compromised machines. The trojan can monitor user activity, steal sensitive information from web browsers, and extract valuable data from infected systems.
Evidence shows the malware targets explicitly password information and login credentials stored by popular browsers, making it a significant threat to personal financial security and identity protection.
Job seekers and human resources professionals remain the primary targets, though the campaign continues to evolve to reach broader audiences.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
