S0476: Valak
Analyst context for executives and security teams
Valak matters because MITRE describes it as Windows-based, multi-stage modular malware that can act as either an information stealer or a downloader. For leaders, the practical issue is not just one malware name; it is whether the organization can detect and respond to a chain that may begin with script execution, perform host and account discovery, persist through scheduled tasks or registry changes, communicate over web protocols with fallback or multi-stage channels, collect data, and potentially bring in additional tools.
Executive priority
Prioritize Valak as a readiness test for Windows endpoint visibility, email-delivered malware response, command-and-control detection, and data collection/exfiltration monitoring. Because the relationship context includes use by TA551, a financially motivated group associated with email-based malware distribution campaigns, security leaders should ask whether SOC, IR, and compliance teams can produce evidence for endpoint execution, persistence, credential/account discovery, collection, and outbound web communications during an investigation. Budget and control decisions should focus on closing telemetry gaps rather than relying on a single malware signature.
Technical view
Validate coverage across the behaviors MITRE associates with Valak: PowerShell and JavaScript execution, WMI, scheduled tasks, registry query and modification, obfuscated or packed content, fileless storage, host/user/account/process/network discovery, web-protocol C2, fallback and multi-stage channels, ingress tool transfer, screen capture, remote email collection, automated collection, and exfiltration over C2. Since no official detection text is provided, detection engineering should map local analytics to these related techniques and confirm that Windows endpoint, script, registry, task scheduler, WMI, process, and network telemetry can be correlated into a single incident narrative.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell logging and script block/module evidence where available
- Windows Script Host or JavaScript/JScript execution evidence
- WMI activity logs and process relationships
- Scheduled task creation, modification, and execution events
Detection direction
- Use behavior-based detections mapped to the related ATT&CK techniques rather than depending only on Valak-specific indicators.
- Correlate script execution, WMI, scheduled task, and registry activity with subsequent discovery and outbound web communications.
- Tune for administrative false positives: WMI, PowerShell, registry access, scheduled tasks, and account discovery are common in legitimate operations, so detections should consider parent process, user context, destination, timing, and sequence.
- Validate visibility into multi-stage and fallback C2 patterns, including repeated outbound web traffic from unusual processes or changing destinations.
- Review whether email collection and Office Suite-related telemetry is available, because MITRE maps Valak to remote email collection, but local evidence is required to determine applicability.
Mitigation priorities
- Harden and monitor Windows scripting, WMI, scheduled tasks, and registry modification paths according to business need and least privilege.
- Improve endpoint and network logging before relying on malware-family-specific detections, since MITRE provides no official detection guidance for this object.
- Restrict unnecessary script interpreter use and administrative tooling exposure where operationally feasible.
- Apply egress monitoring and filtering controls that make web-protocol C2, fallback channels, and ingress tool transfer easier to identify and contain.
- Strengthen email-security and user-reporting workflows in environments concerned about email-based malware distribution, consistent with the TA551 relationship context.
Analyst notes and limits
The supplied ATT&CK object identifies Valak as Windows malware with multi-stage modular behavior and information-stealing or downloader capability. The most useful defensive interpretation is to treat it as a coverage exercise across execution, discovery, persistence, defense evasion, command and control, collection, and exfiltration behaviors represented by its related techniques. Relationship context links TA551 as a group that uses Valak, but this take does not infer current activity or customer exposure.
MITRE provides no official detection text, no aliases, and no explicit tactics on the malware object itself. Several related techniques list platforms beyond Windows, but the Valak object platform supplied here is Windows; platform-specific claims should therefore be validated locally. External reporting is referenced but not expanded beyond the supplied citation metadata.
Valak
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | Valak has the ability to modify the Registry key |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.CitationSentinelOne Valak June 2020 |
| Enterprise | T1057 | Process Discovery | Valak has the ability to enumerate running processes on a compromised host.CitationCybereason Valak May 2020 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | Valak has the ability save and execute files as alternate data streams (ADS).CitationCybereason Valak May 2020CitationUnit 42 Valak July 2020CitationSentinelOne Valak June 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | Valak has the ability to base64 encode and XOR encrypt strings.CitationCybereason Valak May 2020CitationUnit 42 Valak July 2020CitationSentinelOne Valak June 2020 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Valak has used |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Valak has used HTTP in communications with C2.CitationCybereason Valak May 2020CitationUnit 42 Valak July 2020 |
| Enterprise | T1104 | Multi-Stage Channels | Valak can download additional modules and malware capable of using separate C2 channels.CitationUnit 42 Valak July 2020 |
| Enterprise | T1008 | Fallback Channels | Valak can communicate over multiple C2 hosts.CitationUnit 42 Valak July 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Valak can determine if a compromised host has security products installed.CitationCybereason Valak May 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Valak has been executed via Microsoft Word documents containing malicious macros.CitationCybereason Valak May 2020CitationUnit 42 Valak July 2020CitationSentinelOne Valak June 2020 |
| Enterprise | T1113 | Screen Capture | Valak has the ability to take screenshots on a compromised host.CitationCybereason Valak May 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Valak can gather information regarding the user.CitationCybereason Valak May 2020 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Valak can execute tasks via OLE.CitationSentinelOne Valak June 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Valak can execute JavaScript containing configuration data for establishing persistence.CitationCybereason Valak May 2020 |
| Enterprise | T1082 | System Information Discovery | Valak can determine the Windows version and computer name on a compromised host.CitationCybereason Valak May 2020CitationSentinelOne Valak June 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Valak has been delivered via spearphishing e-mails with password protected ZIP files.CitationUnit 42 Valak July 2020 |
| Enterprise | T1119 | Automated Collection | Valak can download a module to search for and build a report of harvested credential data.CitationSentinelOne Valak June 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Valak has the ability to exfiltrate data over the C2 channel.CitationCybereason Valak May 2020CitationUnit 42 Valak July 2020CitationSentinelOne Valak June 2020 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | Valak can use the clientgrabber module to steal e-mail credentials from the Registry.CitationSentinelOne Valak June 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.CitationCybereason Valak May 2020 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.CitationCybereason Valak May 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Valak has used packed DLL payloads.CitationSentinelOne Valak June 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Valak has the ability to store information regarding the C2 server and downloads in the Registry key |
| Enterprise | T1012 | Query Registry | Valak can use the Registry for code updates and to collect credentials.CitationUnit 42 Valak July 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.CitationCybereason Valak May 2020CitationUnit 42 Valak July 2020CitationSentinelOne Valak June 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Valak has the ability to decode and decrypt downloaded files.CitationCybereason Valak May 2020CitationUnit 42 Valak July 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Valak has returned C2 data as encoded ASCII.CitationUnit 42 Valak July 2020 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Valak has the ability to enumerate domain admin accounts.CitationCybereason Valak May 2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | Valak has the ability to enumerate local admin accounts.CitationCybereason Valak May 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Valak has used PowerShell to download additional modules.CitationCybereason Valak May 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | Valak can use |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Valak has been delivered via malicious links in e-mail.CitationSentinelOne Valak June 2020 |
Groups, software, and campaigns
G0127: TA551
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | a6dcffdbba53… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Valak May 2020
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
Open source URL -
[2]
Unit 42 Valak July 2020
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
Open source URL -
[3]
mitre-attack S0476Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.