Valak

Valak is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It was distributed by threat actor TA551, which has historically pushed various families of information-stealing malware such as Ursnif and IcedID. Valak, in particular, is known as a malware downloader, often followed up by further infections like IcedID. The malware was active since 2016, initially disseminated by Hive0106, another threat group, alongside other payloads like IcedID and QakBot. On December 19, 2019, there was an instance where a Windows host infected with Ursnif by TA551 also contracted IcedID and Valak as follow-up malware. This marked a significant event in the proliferation of Valak. TA551 continued to distribute Valak until early July 2020. During this period, the English-speaking recipients were the primary targets, and IcedID was frequently observed as follow-up malware from these infections. TA551's strategy evolved over time, with a noted shift in its approach to deploying malware. By mid-to-late July 2021, the group had shifted away from using malware downloaders like Valak and Ursnif and began directly deploying IcedID. This evolution in tactics signifies a critical change in the threat landscape, marking the end of the deployment of Valak by TA551.