Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits

Jiří Vinopal

When a leaked malware builder puts a kernel-capable rootkit in the hands of anyone willing to use it, the threat landscape shifts overnight. This talk presents Check Point Research's comprehensive reverse engineering of ValleyRAT (also known as Winos/Winos4.0), tracing how the leaked builder exposed a sophisticated plugin ecosystem — including a stealthy kernel-mode rootkit that remains validly signed and loads without issue on the latest Windows 11 builds. We'll break down the rootkit's most dangerous capabilities, from coercive AV/EDR driver deletion to APC-based shellcode injection, and reveal how roughly 85% of detected plugin samples emerged in just the past six months following the leak. The result: a tool once linked to specialized Chinese-speaking threat actors has become an accessible, largely un-attributable offensive platform — with serious implications for defenders and intelligence analysts alike.