Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits

Check Point Research dissects the ValleyRAT (Winos) modular backdoor and its embedded 64-bit kernel rootkit, using leaked builder and development artifacts to reverse engineer 19 main plugins and the driver. The report details stealthy driver installation (including a MalSeclogon-based stealth mode), APC-based user-mode shellcode injection, a kernel ForceDeleteFile routine targeting many AV/EDR drivers, compilation and signing artefacts, IOCs (file hashes), and in-the-wild detection statistics showing ~6,000 related samples with a recent surge after the builder leak.