From labs.sentinelone.com
![](https://labs.sentinelone.com/wp-content/uploads/2020/06/Valak-Malware-and-the-Connection-to-Gozi-Loader-ConfCrew-1-1140x597.jpg)
- Valak uses multi-stage, script-based malware utilized in campaigns reminiscent of Gozi ConfCrew.
- The overlapping campaign structure has led to some sandbox reports misidentifying Valak as Gozi.
- Emails are harvested and used in ‘Reply Chain Attacks’ to further spread the malware with a purpose-built plugin, ‘exchgrabber’.
- A newly-discovered plugin called ‘clientgrabber’ is also utilized for stealing email credentials from the registry.