HomeNewsValak 2.0 malware loader turns enterprise data stealer

Valak 2.0 malware loader turns enterprise data stealer

If you purchase via links on our reader-supported site, we may receive affiliate commissions.

Valak malware, a previously classified malware loader by cybersecurity experts has now transformed into a “potent” cyber threat in the last 6 months having gone through numerous upgrades with more than 24 versions seen in its transformational journey from a malware loader to a major threat malware according to team Nocturnus Cybereason.

The Team Nocturnus stated that the now classified malware threat which first emerged in the last quarter of 2019 as a malware loader as recorded in recent campaigns against individuals and enterprises majorly in Germany and the USA with new features which makes it a data stealer, having been formerly merged with IcedID and Ursnif banking Trojan payloads (v1,2).

Assaf Dahan, head of threat research at Cybereason firm said the developers of Valak must have collaborated with other hackers to adopt the malware-as-a-service (MaaS) version. The recent versions of Valak were designed to steal passwords, email information, and enterprise certificates from Microsoft Exchange servers which if successful will gain access to vital enterprise accounts resulting to brand degradation, and data loss.

The Latest Valak Malware – Valak 2.0

The latest Valak malware version boast of a fileless stage, which stores elements in the registry, scan the infected system’s geolocation, having at least six plugin elements that grant cybercriminals access to steal system, users and network’s information from infected hosts, and with the ability to download other malicious malware and more plugins.

Lior Rocheberger and Eli Salem, writers of the analysis of the new variants from the Cybereason said the most “intriguing addition” to Valak was a “PluginHost” element that transmits “data to C2 server for downloading additional plugins.” They also warned against upticking in fileless malware attacks because Valak’s developers have adopted evasive techniques like ADS which is an advanced way of hiding elements in the registry and discontinued the use of PowerShell which can now be easily detected and blocked by most security products.

Currently, Valak has upgraded up to version 25 with the malware codes indicating there may be links to the underground community of Russian speakers even though researchers are yet to understand the relationship between Valak, IcedID, and Ursnif but suspects they may be in collaboration.


Delete Me
iolo system mechanic

Subscribe to SecureBlitz Newsletter

* indicates required
Marie Beaujolie
Marie Beaujolie
Marie Beaujolie is a computer network engineer and content writer from Paris. She is passionate about technology and exploring new ways to make people’s lives easier. Marie has been working in the IT industry for many years and has a wealth of knowledge about computer security and best practices. She is a regular contributor for SecureBlitz.com, where she writes about the latest trends and news in the cyber security industry. Marie is committed to helping people stay safe online and encouraging them to take the necessary steps to protect their data.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.