ValleyRAT, also known as Winos or Winos4.0, has emerged as one of the most sophisticated backdoors targeting organizations worldwide.
This modular malware family represents a significant threat to Windows systems, particularly Windows 11 installations running the latest security patches.
The threat landscape has shifted dramatically following the public leak of the ValleyRAT builder and its development structure, making the malware accessible to a broader range of threat actors beyond the Chinese-speaking groups historically associated with its deployment.
The malware’s attack vectors are particularly concerning because they operate at multiple system levels. ValleyRAT is a comprehensive remote access trojan that can deploy various plugins to compromise victim systems.
Initial infection typically begins with first-stage plugins such as the Online Module or Login Module, which act as beacons to the command-and-control server.
.webp "ValleyRAT Malware Uses Stealthy Driver Install to Bypass Windows 11 Protections 2")
These initial stages retrieve and load additional specialized plugins, allowing operators to expand their foothold within compromised networks progressively.
The attacker determines which victims warrant deployment of more advanced components, meaning many infected systems only receive basic functionality. The architecture demonstrates a sophisticated understanding of Windows internals.
Check Point security analysts identified that the malware’s developers possess deep knowledge of kernel-mode and user-mode mechanisms, revealing a tightly coordinated development team rather than loosely assembled contributors.
The consistency across different modules suggests a small, specialized group with advanced reverse-engineering capabilities.
The Kernel Rootkit Mechanism
The most alarming component is ValleyRAT’s embedded kernel-mode rootkit driver, contained within the Driver Plugin.
This rootkit can retain valid signatures and remain loadable on fully updated Windows 11 systems, effectively bypassing modern protection features.
The technique represents a real-world security gap that concerns defenders globally.
Check Point researchers found that approximately 85 percent of detected ValleyRAT samples were observed in the last six months, directly correlating with the builder’s public release.
.webp "ValleyRAT Malware Uses Stealthy Driver Install to Bypass Windows 11 Protections 4")
The rootkit implements stealthy driver installation capabilities combined with user-mode shellcode injection via asynchronous procedure calls.
The malware forcibly deletes antivirus and endpoint detection and response drivers from systems, specifically targeting security solutions from vendors such as Qihoo 360, Huorong Security, Tencent, and Kingsoft Corporation.
This aggressive removal of security tools creates an unsecured environment where the attacker can operate freely.
.webp "ValleyRAT Malware Uses Stealthy Driver Install to Bypass Windows 11 Protections 5")
The public availability of the builder and development structure fundamentally transforms the threat landscape.
Attribution becomes increasingly complex since any actor can now compile, modify, and deploy ValleyRAT independently.
The transition from an actor-linked threat to an openly available malware framework signals that future activity will likely accelerate, with more threat groups experimenting with the leaked tooling.
Organizations must implement robust detection systems and maintain updated security measures to counter this evolving threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
