Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Sept. 10, 2025, 8:14 a.m.

Description

Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry run keys, and scheduled tasks for persistence and evasion. Operated under a Malware-as-a-Service model by Russian-speaking actors, it leverages resilient C2 infrastructure. The stealer targets multiple browsers, cryptocurrency wallets, and Telegram sessions. It communicates with its C2 server using UDP and HTTPS, employing domain failover mechanisms for resilience. The control panel offers remote command execution and built-in script modules for further system compromise.

External References

https://www.cyfirma.com/research/unmasked-salat-stealer-a-deep-dive-into-its-advanced-persistence-mechanisms-and-c2-infrastructure/
https://otx.alienvault.com/pulse/68c12e9f0a9ca3c3ce3cfaab
Tags
evasion
windows
infostealer
cryptocurrency
persistence
malware-as-a-service
maas
russian-speaking
browser credentials
2025-09-06
salat stealer
web_rat
go-based
2025-09-10

Date

  • Created: Sept. 10, 2025, 7:54 a.m.
  • Published: Sept. 10, 2025, 7:54 a.m.
  • Modified: Sept. 10, 2025, 8:14 a.m.

Indicators

  • 8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05
  • 552e1c2ed502f652d5cd1c70fee7a81d0269d1ad6db96ad21344ff4e1e3620d5
  • 62.109.0.189
  • https://salat.cn/sa1at
  • https://salat.cn
  • http://webrat.in/login/
  • http://nyash.team/
  • webrat.top
  • webrat.su
  • webrat.ru
  • webr.at
  • posholnahuy.ru
  • pidorasina.ru
  • nyash.team
Download all indicators here!

Attack Patterns

  • WEB_RAT
  • Salat Stealer
  • NyashTeam and Kapchenka