S0476: Valak
Analyst context for executives and security teams
Valak matters because MITRE describes it as Windows-based, multi-stage modular malware that can act as either an information stealer or a downloader. For leaders, the practical issue is not just one malware name; it is whether the organization can detect and respond to a chain that may begin with script execution, perform host and account discovery, persist through scheduled tasks or registry changes, communicate over web protocols with fallback or multi-stage channels, collect data, and potentially bring in additional tools.
Executive priority
Prioritize Valak as a readiness test for Windows endpoint visibility, email-delivered malware response, command-and-control detection, and data collection/exfiltration monitoring. Because the relationship context includes use by TA551, a financially motivated group associated with email-based malware distribution campaigns, security leaders should ask whether SOC, IR, and compliance teams can produce evidence for endpoint execution, persistence, credential/account discovery, collection, and outbound web communications during an investigation. Budget and control decisions should focus on closing telemetry gaps rather than relying on a single malware signature.
Technical view
Validate coverage across the behaviors MITRE associates with Valak: PowerShell and JavaScript execution, WMI, scheduled tasks, registry query and modification, obfuscated or packed content, fileless storage, host/user/account/process/network discovery, web-protocol C2, fallback and multi-stage channels, ingress tool transfer, screen capture, remote email collection, automated collection, and exfiltration over C2. Since no official detection text is provided, detection engineering should map local analytics to these related techniques and confirm that Windows endpoint, script, registry, task scheduler, WMI, process, and network telemetry can be correlated into a single incident narrative.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell logging and script block/module evidence where available
- Windows Script Host or JavaScript/JScript execution evidence
- WMI activity logs and process relationships
- Scheduled task creation, modification, and execution events
Detection direction
- Use behavior-based detections mapped to the related ATT&CK techniques rather than depending only on Valak-specific indicators.
- Correlate script execution, WMI, scheduled task, and registry activity with subsequent discovery and outbound web communications.
- Tune for administrative false positives: WMI, PowerShell, registry access, scheduled tasks, and account discovery are common in legitimate operations, so detections should consider parent process, user context, destination, timing, and sequence.
- Validate visibility into multi-stage and fallback C2 patterns, including repeated outbound web traffic from unusual processes or changing destinations.
- Review whether email collection and Office Suite-related telemetry is available, because MITRE maps Valak to remote email collection, but local evidence is required to determine applicability.
Mitigation priorities
- Harden and monitor Windows scripting, WMI, scheduled tasks, and registry modification paths according to business need and least privilege.
- Improve endpoint and network logging before relying on malware-family-specific detections, since MITRE provides no official detection guidance for this object.
- Restrict unnecessary script interpreter use and administrative tooling exposure where operationally feasible.
- Apply egress monitoring and filtering controls that make web-protocol C2, fallback channels, and ingress tool transfer easier to identify and contain.
- Strengthen email-security and user-reporting workflows in environments concerned about email-based malware distribution, consistent with the TA551 relationship context.
Analyst notes and limits
The supplied ATT&CK object identifies Valak as Windows malware with multi-stage modular behavior and information-stealing or downloader capability. The most useful defensive interpretation is to treat it as a coverage exercise across execution, discovery, persistence, defense evasion, command and control, collection, and exfiltration behaviors represented by its related techniques. Relationship context links TA551 as a group that uses Valak, but this take does not infer current activity or customer exposure.
MITRE provides no official detection text, no aliases, and no explicit tactics on the malware object itself. Several related techniques list platforms beyond Windows, but the Valak object platform supplied here is Windows; platform-specific claims should therefore be validated locally. External reporting is referenced but not expanded beyond the supplied citation metadata.
Valak
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.CitationSentinelOne Valak June 2020 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1104 | Multi-Stage Channels | |
| Enterprise | T1008 | Fallback Channels | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | Valak can execute tasks via OLE.CitationSentinelOne Valak June 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1119 | Automated Collection | Valak can download a module to search for and build a report of harvested credential data.CitationSentinelOne Valak June 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | Valak can use the clientgrabber module to steal e-mail credentials from the Registry.CitationSentinelOne Valak June 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | |
| Enterprise | T1027.002 | Software Packing Sub-technique | Valak has used packed DLL payloads.CitationSentinelOne Valak June 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1087.002 | Domain Account Sub-technique | |
| Enterprise | T1087.001 | Local Account Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | Valak can use |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Valak has been delivered via malicious links in e-mail.CitationSentinelOne Valak June 2020 |
Groups, software, and campaigns
G0127: TA551
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | a6dcffdbba53… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Valak May 2020
Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
Open source URL -
[2]
Unit 42 Valak July 2020
Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
Open source URL -
[3]
mitre-attack S0476Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.