Salat Malware: Stealthy Control via QUIC and WebSocket

A newly emerged threat in the cybersecurity landscape, known as Salat malware, is causing significant concern due to its advanced capabilities and stealthy operations. Developed using the Go programming language, this malware functions as a full-fledged remote access trojan, allowing attackers to maintain extensive and persistent control over compromised systems.

Salat’s versatility sets it apart from simpler malware, as it can execute a wide array of tasks, ranging from password theft to providing real-time access to a victim’s screen and webcam. The malware’s ability to communicate with its controllers using modern protocols like QUIC and WebSocket makes it particularly challenging for security tools to detect, as it seamlessly integrates its traffic with regular internet activities.

Stealthy Communication Techniques

Salat distinguishes itself by employing cutting-edge communication methods to remain undetected. By utilizing QUIC and WebSocket protocols, the malware cleverly disguises its traffic, blending into normal network activities. This approach significantly complicates the task of identifying suspicious behavior, as these protocols are common in legitimate web services.

Researchers from DarkAtlas, who conducted a thorough analysis of Salat, released their findings on May 6, 2026. They highlighted the malware’s sophisticated design, which includes six methods for concealing internal strings and generating a unique identity for each infected machine. This level of sophistication underscores the professional planning behind Salat’s development.

Data Gathering and Persistence

Upon infiltration, Salat promptly begins gathering detailed information about the infected system, including operating system specifics, hardware configurations, and active applications. This information is encrypted and transmitted to the attacker’s server, providing them with a comprehensive understanding of the compromised machine.

The malware’s data theft capabilities are extensive, targeting browsers, cryptocurrency wallets, messaging apps, and clipboard contents. By capturing keystrokes, taking screenshots, and enabling a remote shell for command execution, Salat effectively grants full control of the infected device to its operators.

Robust Persistence Mechanisms

Salat ensures its continued presence on an infected system through multiple persistence strategies. It disguises itself with names resembling legitimate Windows processes, such as explorer.exe, and creates scheduled tasks to maintain activity. Additionally, it modifies registry keys to automatically launch upon system startup.

In case its command servers become unreachable, Salat ingeniously uses the TON blockchain to obtain new server addresses via Cloudflare’s encrypted DNS. This tactic makes it nearly impossible to completely disrupt its operation, as the blockchain remains online regardless of individual server outages.

Security experts advise monitoring for unusual outbound connections using QUIC or WebSocket protocols and inspecting hidden system files with suspicious names. Keeping endpoint security tools updated to detect Go-based malware and auditing scheduled tasks can significantly mitigate the risk of Salat infections.

Conclusion

The emergence of Salat malware highlights the evolving complexity and sophistication of cyber threats. Its use of modern protocols and robust persistence mechanisms poses significant challenges for cybersecurity professionals. Vigilant monitoring and proactive security measures are crucial to protecting systems from such advanced threats.