Threat Research

Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits

Checkpoint
Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits

Check Point Research dissects the modular ValleyRAT (aka Winos/Winos4.0) backdoor, reverse engineering leaked builder artifacts and mapping all main plugins including an embedded kernel‑mode rootkit. The analysis highlights APC-based user‑mode injection, kernel-level forced deletion of AV/EDR drivers, valid-signed drivers loadable on Windows 11, and a rapid surge in in‑the‑wild samples since the builder leak. #ValleyRAT #SilverFox

Keypoints

  • Researchers obtained publicly leaked ValleyRAT builder and development artifacts (Visual Studio solutions/project files) and used them to map and reverse engineer all main plugins.
  • ValleyRAT is modular with 19 main plugins (32‑ and 64‑bit variants) providing extensive remote access functionality (remote shell, screen/audio capture, keylogger, proxying, DDoS, file management, etc.).
  • The Driver Plugin embeds a 64‑bit kernel rootkit (derived from the open‑source Hidden project) that implements device/minifilter/registry hooks, IOCTL control, and an APC‑based user‑mode shellcode injector.
  • The rootkit includes ForceDeleteFile(), a kernel‑level implementation used to forcibly delete AV/EDR drivers and other files, and can change service start type to SERVICE_SYSTEM_START for elevated persistence.
  • Several rootkit samples were signed with certificates that fell under legacy driver signing exceptions, allowing loading on fully updated Windows 11 systems; some of these drivers initially bypassed detection and the Microsoft vulnerable driver blocklist.
  • Detection telemetry found ~6,000 ValleyRAT‑related samples between Nov 2024–Nov 2025, with ~85% observed in the last six months of that window—coinciding with the public builder release.
  • Public availability of the builder and development artifacts undermines attribution (previously linked to Chinese‑speaking actors like Silver Fox) as anyone can compile, modify, and deploy ValleyRAT.

MITRE Techniques

  • [T1055] Process Injection – APC-based user‑mode shellcode injection from kernel: ‘APC-based injection’ and ‘UMInjection() introduces kernel-mode to user-mode APC-based shellcode injection.’
  • [T1215] Kernel Modules and Extensions – Kernel‑mode rootkit/driver used as minifilter/registry filter and kernel device: ‘the embedded 64-bit driver… functions as a Windows kernel device, a file system minifilter, a registry filter, and a process/thread monitoring driver.’
  • [T1543.003] Create or Modify System Process: Windows Service – Driver installed as a kernel service and service start type modified for persistence: ‘install[s] it as a kernel service named kernelquick’ and ‘SetDriverStartType_SystemStart()… switching service start type.’
  • [T1071] Application Layer Protocol – C2 communications using TCP/UDP channels for plugin/control traffic: ‘All plugins are capable of establishing TCP or UDP connections to a specified C2 host and exchanging plugin-specific serialized data.’
  • [T1027] Obfuscated Files or Information – Custom XOR‑based encryption used for plugin/command data in transit: ‘typically encrypted using custom XOR-based schemes.’
  • [T1112] Modify Registry – Driver and client read/write configuration and hiding rules under registry keys and use registry for shellcode storage: ‘the client stores the operator-provided shellcode inside HKLMSOFTWAREIpDates’ and ‘writes the initial configuration values… HKLMSYSTEMCurrentControlSetServiceskernelquick.’
  • [T1485] Data Destruction – Kernel-level forced deletion to remove AV/EDR drivers and files using direct IRP calls: ‘ForceDeleteFile()… direct kernel IRP calls’ and Appendix A listing targeted EDR/AV driver paths.

Indicators of Compromise

  • [File Hash – SHA‑256] ValleyRAT main binaries and rootkit driver – example: rootkit driver 64-bit 2aa029088c04eb10b056c18fcc39395936e6f01ee9ebdeed2558e4899116ee86, Driver Plugin.dll (64-bit) 14b85b07bfdd134e709ff973871d75d33ecca964457373b76b34a70183c2b1d0, and 36 more hashes from Appendix B.
  • [File Name] Main plugins and builder – example: Driver Plugin.dll (main plugin), Quick.exe (builder/C2 panel).
  • [Service Name] Kernel driver service – example: kernelquick (installed service name for the rootkit driver).
  • [Registry Key] Configuration and shellcode storage – example: HKLMSOFTWAREIpDates (user‑mode shellcode storage), HKLMSYSTEMCurrentControlSetServiceskernelquick (driver/service configuration).
  • [File Path] Targeted EDR/AV driver files (ForceDeleteFile targets) – example: C:WindowsSystem32driversDsArk64.sys (Qihoo 360), C:WindowsSystem32driversklhk.sys (Kaspersky Lab), and many other vendor driver paths listed in Appendix A.
  • [Domain / Repository] Leaked builder and development artifacts – example: https://github.com/GkaMei/winos4.0 (ValleyRAT builder), https://github.com/Logkiss/Rat-winos4.0-gh0st/tree/master/银狐Winos (development structure), and the related site https://www.sun-rat.com/ (Sun‑RAT demo/website).

Read more: https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint