EXECUTIVE SUMMARY:
The ongoing investigations into the ValleyRAT malware family, also known as Winos or Winos4.0. ValleyRAT is described as a modular, multi-component backdoor commonly observed across various campaigns, yet previous public documentation on it had been limited or fragmentary. To build a more complete picture, the analysis draws from leaked builder tools and development artefacts, including Visual Studio project structures, discovered across multiple online repositories. Although full source code was not available, project metadata, binary components, and builder-generated modules were sufficient to reconstruct the plugin ecosystem and understand how the malware functions as an integrated framework. The introduction highlights that many repositories examined were tampered with or repackaged with additional payloads, making it difficult to isolate legitimate development artefacts, but eventually a consistent set of structures was identified. The focus is placed on examining ValleyRAT as a complete modular system rather than as isolated binaries, offering a unified view of its plugin-based architecture, operational workflow, and the techniques it employs during real-world activity.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
The ongoing investigations into the ValleyRAT malware family, also known as Winos or Winos4.0. ValleyRAT is described as a modular, multi-component backdoor commonly observed across various campaigns, yet previous public documentation on it had been limited or fragmentary. To build a more complete picture, the analysis draws from leaked builder tools and development artefacts, including Visual Studio project structures, discovered across multiple online repositories. Although full source code was not available, project metadata, binary components, and builder-generated modules were sufficient to reconstruct the plugin ecosystem and understand how the malware functions as an integrated framework. The introduction highlights that many repositories examined were tampered with or repackaged with additional payloads, making it difficult to isolate legitimate development artefacts, but eventually a consistent set of structures was identified. The focus is placed on examining ValleyRAT as a complete modular system rather than as isolated binaries, offering a unified view of its plugin-based architecture, operational workflow, and the techniques it employs during real-world activity.[emaillocker id="1283"]
The technical analysis explores ValleyRAT’s internal makeup, emphasizing its extensive plugin library and the presence of a kernel-mode rootkit packaged within the “Driver Plugin”. The builder tool contains 38 primary plugins across 32-bit and 64-bit versions, each serving specialized malicious functions such as arbitrary command execution, keylogging, credential theft, screen capture, proxy operations, and DDoS-based stress activities. These modules communicate with command-and-control servers through custom encryption, allowing remote operators to issue tasks dynamically. The most complex component is the kernel-level driver, supported by a user-mode controller that communicates with the driver via IOCTL codes. This structure enables advanced capabilities including stealth installation, protected process handling, forced deletion of files and services, and code injection through APC mechanisms. The driver appears based on pre-existing open-source material but is significantly refactored to maintain compatibility with contemporary Windows environments, including Windows 10 and 11. Enhancements include expanded persistence logic, improved concealment mechanisms, and refined injection procedures that align with the broader plugin ecosystem. Overall, this section demonstrates that ValleyRAT’s architecture is mature, cohesive, and designed for long-term adaptability across diverse attack scenarios.
The conclusion summarizes the comprehensive breakdown of ValleyRAT’s multi-stage backdoor framework, highlighting how the modular design, extensive plugin set, and kernel-mode components collectively form a highly capable malware platform. The analysis contributes to a clearer understanding of an actively used threat family whose development quality reflects deep familiarity with Windows internals and modern defensive controls. An important observation is that certain rootkit drivers tied to ValleyRAT were found deployed with technically valid digital signatures, enabling them to load even on fully patched Windows 11 systems that have protections like HVCI and Secure Boot enabled. This elevates the threat profile by demonstrating the malware’s ability to bypass hardened environments. Additionally, the public spread of the ValleyRAT builder and supporting artefacts coincides with a notable increase in detections across the threat landscape, indicating that more actors may be adopting or modifying the toolset. As a result, historical correlations with specific groups have become less definitive, and ValleyRAT now functions as a broadly accessible, evolving platform. The report concludes that continued monitoring and deeper technical visibility will be essential as the malware’s availability and sophistication continue to expand.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| T1106 | Native API | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys |
| T1543.003 | Create or Modify System Process | Windows Service | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| T1548.002 | Abuse Elevation Control Mechanism | Bypass UAC | |
| Defense Evasion | T1014 | Rootkit | — |
| T1055.004 | Process Injection | APC Injection | |
| T1070.004 | Indicator Removal | File Deletion | |
| Discovery | T1082 | System Information Discovery | — |
| T1016 | System Network Configuration Discovery | — | |
| Command & Control | T1071.001 | Application Layer Protocol | Web Protocols (HTTP/HTTPS) |
| Impact | T1499 | Endpoint Denial of Service | — |
| T1490 | Inhibit System Recovery | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Defense Evasion | E1014 | Rootkit |
| F0004 | Disable or Evade Security Tools | |
| Persistence | F0010 | Kernel Modules and Extensions |
| Command and Control | B0030 | C2 Communication |
REFERENCES:
The following reports contain further technical details:
https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/
[/emaillocker]