Military-Grade ValleyRAT Goes Rogue: Kernel Rootkit Builder Leak Triggers Massive Global Surge

A sophisticated cyber weapon previously linked to targeted espionage has gone rogue, flooding the threat landscape after its creation tools were leaked to the public. A new report from Check Point Research (CPR) reveals that ValleyRAT, a potent modular backdoor also known as Winos, is no longer the exclusive tool of a single group but has become a dangerous commodity for cybercriminals worldwide.

The malware landscape has shifted dramatically in the last half-year. According to CPR, the exclusivity of ValleyRAT ended the moment its builder—the software used to generate the malware—was leaked online.

The impact was immediate and massive. “The detection statistics for ValleyRAT plugins in the wild (ITW)… highlight the recent surge in ValleyRAT usage, with approximately 85% of detected samples appearing in the last six months, coinciding with the public release of the builder”.

This effectively means that a military-grade cyber weapon is now available to the lowest bidder, leading to what researchers describe as an “active and accelerating presence in the wild”.

ValleyRAT is not your average malware; it is a masterclass in Windows internals. The report highlights the “advanced skills of the developers behind ValleyRAT, demonstrating deep knowledge of Windows kernel and user-mode internals”.

The most alarming component is its Driver Plugin, a kernel-mode rootkit designed to subvert the operating system’s deepest security layers. In a concerning finding for enterprise defenders, CPR noted that this component “retains valid signatures and remains loadable on fully updated Windows 11 systems, bypassing built-in protection features”.

Once inside, the malware wields frightening capabilities, including “stealthy driver installation, user-mode shellcode injection via APCs, and forceful deletion of AV/EDR drivers”.

Historically, spotting ValleyRAT on a network pointed to specific Chinese-affiliated threat actors, such as the group known as Silver Fox.

“The public availability of both the builder and the source code complicates attribution,” the report warns. With the tool now in the hands of the broader cybercriminal community, “anyone can now compile, modify, and deploy ValleyRAT independently, blurring previous indicators and making traditional attribution approaches far less meaningful”.

The transition of ValleyRAT from a proprietary tool to a public framework represents a significant escalation in the threat landscape. As more actors experiment with the leaked tooling, organizations must prepare for a wave of sophisticated attacks that leverage these advanced, previously exclusive capabilities.

“ValleyRAT has effectively transitioned from a previously actor-linked threat to an openly available malware framework,” Check Point concludes.

Related Posts:

• ValleyRAT Campaign Leverages Shellcode and Social Engineering to Target Chinese Speakers
• ValleyRAT Targets English Job Seekers by Trojanizing Foxit PDF Reader with DLL Sideloading
• ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
• Silver Fox APT Uses Cyrillic False Flag in Teams SEO Poisoning to Deploy ValleyRAT