Salat Stealer has emerged as a pervasive menace concentrating on Home windows endpoints with a concentrate on harvesting browser-stored credentials and cryptocurrency pockets knowledge.
First detected in August 2025, this Go-based infostealer leverages a spread of evasion techniques, together with UPX packing and course of masquerading, to slide previous standard defenses.
Its operators promote the malware by means of social engineering campaigns on mainstream platforms, selling pretend software program cracks and recreation cheats that ship the preliminary payload.
Upon execution, Salat Stealer silently injects itself into trusted directories below names like Lightshot.exe and Procmon.exe, mixing with reliable processes to keep away from suspicion.
Cyfirma researchers recognized the malware’s multi-layered strategy inside days of its preliminary sightings.
The menace employs each registry run keys and scheduled duties to keep up persistence, creating entries below names similar to RuntimeBroker and Lightshot that execute at logon and repeat each three minutes for an prolonged interval.
Filled with UPX 4.1.0, the binary’s excessive entropy worth of seven.999 disguises its true habits till runtime.
Dynamic evaluation revealed that youngster processes spawn below acquainted file paths—C:Program Information (x86)Home windows NTLightshot.exe, for instance—making detection by endpoint brokers more difficult.
Cyfirma analysts famous that Salat Stealer’s communication with its command-and-control (C2) infrastructure is each resilient and covert.
Preliminary contact makes use of light-weight UDP packets of roughly 45 bytes despatched to IP 104.21.80.1, seemingly serving as keep-alive beacons.
In parallel, the stealer establishes an encrypted HTTPS channel to salat.cn/salat, with DNS resolutions pointing to 172.67.194.254 and 104.21.60.88.
When this major area is unreachable, a built-in JavaScript routine fetches a listing of fallback domains—‘webrat.in’, ‘webrat.high’, and others—from sniff_domain_list.txt, iterating by means of every by way of calls to /alive.php till it locates an lively panel for redirection.
The affect of Salat Stealer extends past easy credential theft, because it additionally targets browser extensions for cryptocurrency wallets similar to MetaMask, Belief Pockets, and Phantom.
Focusing on Browser Credentials (Supply – Cyfirma)
By scanning the Chrome extension settings listing, the malware extracts seed phrases and personal keys, placing customers susceptible to irreversible monetary loss.
An identical strategy utilized to desktop pockets functions—together with Electrum, Exodus, and Coinomi—permits the stealer to reap pockets databases and configuration information.
All exfiltrated knowledge is quickly saved within the Temp folder below randomized filenames earlier than transmission to the C2 panel.
An infection and Persistence Mechanisms
Salat Stealer’s an infection chain begins with a social engineering lure that convinces the sufferer to execute a malicious archive.
Upon launch, the executable unpacks itself utilizing UPX and instantly spawns youngster processes that masquerade as reliable utilities.
Command and Management Communication (Supply – Cyfirma)
Persistence is achieved by means of twin mechanisms: registry run keys and scheduled duties.
The next code snippet, a part of the “Defender Excluder” script module accessible within the C2 panel, exemplifies how the malware hardens its foothold:-
if (Get-Command Add-MpPreference -ErrorAction SilentlyContinue) {
$ProgramFilesX86 = [System.Environment]::GetFolderPath(“ProgramFilesX86”)
Add-MpPreference -ExclusionPath $ProgramFilesX86
$AppData = [System.Environment]::GetFolderPath(“ApplicationData”)
Add-MpPreference -ExclusionPath $AppData
$LocalAppData = [System.Environment]::GetFolderPath(“LocalApplicationData”)
Add-MpPreference -ExclusionPath $LocalAppData
}
This script quietly provides important directories to Home windows Defender’s exclusion record, making certain that neither the primary payload nor its auxiliary instruments are scanned.
Persistence Mechanism by means of Registry Run Keys (Supply – Cyfirma)
Concurrently, tasked entries named Lightshot and RuntimeBroker are configured to set off at each logon and at scheduled intervals.
By combining registry and activity scheduler methods, Salat Stealer sustains long-term entry and evasion, demonstrating the rising sophistication of contemporary MaaS operations.
Increase your SOC and assist your crew defend your enterprise with free top-notch menace intelligence: Request TI Lookup Premium Trial.
