← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits
WHITE PetrP.73 2025-12-11 Modified: 2025-12-11
124
IOCs
HIGH VOLUME
Check Point Research conducted a thorough technical analysis of the ValleyRAT malware, also referred to as Winos or Winos4.0. The research primarily focuses on ValleyRAT's sophisticated modular architecture and plugin system, revealing significant insights into its potentially broad deployment following the public release of its builder. This malware notably includes a kernel-mode rootkit within its “Driver Plugin,” which retains valid signatures that allow it to operate on updated Windows 11 systems, thereby circumventing native security features.
valleyratlabccorporationcwindowshidden rootkitdriver pluginsilver foxpluginstudioliefstealthrootkitjunevirustotalextractorkeyloggertelegramenumeratetriggershellcodeinto
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (3 / 124 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://lief.re/ 2025-12-11
URL https://www.angusj.com/resourcehacker/ 2025-12-11
URL https://www.sun-rat.com/ 2025-12-11
References (1)
↗ https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/