Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure
Essential information
- Published
- 10/09/2025 07:54
- Modified
- 10/09/2025 08:14
- Tags
- 2025-09-06 2025-09-10 browser credentials cryptocurrency evasion go-based infostealer maas malware-as-a-service persistence russian-speaking salat stealer web_rat windows
- Related entities
- 14 observables, 1 intrusion sets (apt), 11 techniques (mitre), 2 malware
Description
Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry run keys, and scheduled tasks for persistence and evasion. Operated under a Malware-as-a-Service model by Russian-speaking actors, it leverages resilient C2 infrastructure. The stealer targets multiple browsers, cryptocurrency wallets, and Telegram sessions. It communicates with its C2 server using UDP and HTTPS, employing domain failover mechanisms for resilience. The control panel offers remote command execution and built-in script modules for further system compromise.