Valak 2.0 Steals Data From US, German Companies


Valak, a malware loader has come back with a new undertaking in the form of Valak 2.0, said Cybereason. It has been observed to do reconnaissance jobs and information-stealing activities targeting enterprises in the United States and Germany.

A cybersecurity team from Cybereason studied the re-tasked malware to understand its new operations. It uses a modular architecture to adapt to various plugin components to perform its tasks.


The team pointed out that Valak 2.0 has been heavily targeting organizations from the US and Germany. According to the researchers’ report, the 2.0 version has been targeting Microsoft Exchange servers to steal contact information along with passwords and enterprise certificates.

Valak 2.0 Steals Data

With such data in the wrong hands, the experts warn that the attackers can gain unauthorized access to important accounts in the enterprise. This can lead to great harm to the organization in the form of brand degradation and consumer distrust.


A report by Ports Wigger explained that “Valak has at least six plugin components that allow attackers to pilfer user, machine, and network information from infected hosts.” Moreover, it can download and inject malware and other plugins, increasing its capabilities.

Previously, Valak was a malware loader that was first used against US companies, alongside Ursnif and IcedID. This means that it only downloaded other known malicious software such as the aforementioned.

The developers took huge leaps in reinforcing the attacks. One of the most important improvements is its new payload obfuscation method, which does complex decryption.

Moreover, it now has a plugin management component, PowerShell activity, and new and improved infrastructure. Its current version is 24.

The new version of the malware enters the system usually through phishing emails containing malicious files. The most common method is through the download of Microsoft Word files containing malicious macro codes that downloads a DLL file.

This then launches a series of steps that includes downloading and running payloads that ultimately leads to the reconnaissance and stealing of information.

Consumers are warned against opening suspicious emails, as well as downloading and executing files from unknown messages. Users should also use a cybersecurity program that can filter emails, prevent and address any infiltration, and make repairs.

Investing in training and education about cybersecurity is also advised to ensure that users know how to protect themselves from phishing emails and falling victim to Valak 2.0’s reconnaissance and info-stealing activities.