The malware Valak is a multi-stage, script-based package that researchers have observed re-using Gozi’s infrastructure. Once installed, Valak captures emails from the system, weaponizes it, and then sends it out in what is known as a “Reply Chain Attack”. The concept behind this form of attack is that users may be trained to recognize phishing emails, but if an incoming email appears to be part of a chain of discussion they were already involved with, their guard may be relaxed. It also means that the attackers do not have to invest time and effort in creating email accounts that look legitimate. As for the confusion with Gozi, in a recent campaign utilizing Valak, the final payload delivery steps were quite similar to a Gozi infection and actually used the same storage server as Gozi attacks had used.