Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

SUMMARY :

Salat Stealer, a sophisticated Go-based infostealer targeting Windows systems, has been identified. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry run keys, and scheduled tasks for persistence and evasion. Operated under a Malware-as-a-Service model by Russian-speaking actors, it leverages resilient C2 infrastructure. The stealer targets multiple browsers, cryptocurrency wallets, and Telegram sessions. It communicates with its C2 server using UDP and HTTPS, with multiple fallback domains for redundancy. The control panel supports real-time interaction through WebSockets and includes features for remote command execution and system manipulation.

OPENCTI LABELS :

infostealer,windows,evasion,cryptocurrency,persistence,malware-as-a-service,browser credentials,salat stealer,web_rat,go-based


AI COMMENTARY :

1. Unmasked: Salat Stealer  A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Salat Stealer has emerged as a formidable infostealer written in Go, engineered to siphon sensitive data from Windows systems. This report unveils the inner workings of a malware sample that operates under a Malware-as-a-Service model, offering threat actors a turnkey solution for credential theft, cryptocurrency exfiltration, and session hijacking. Our analysis dissects its components, highlights evasion strategies, and maps the resilient command and control infrastructure that underpins its operations.

2. Technical Architecture and Payload Delivery

Developed as a web_rat variant, Salat Stealer begins its infection chain through social engineering or drive-by download tactics. Once executed, the binary self-unpacks from UPX compression to release a multi-threaded Go-based payload. The stealer probes the victims environment for popular browsers, cryptocurrency wallets, and messaging applications, loading unique modules tailored to harvest credentials and session tokens. A dynamic loader ensures that only the necessary components are deployed, minimizing the footprint and reducing detection risk.

3. Evasion and Persistence Techniques

To evade endpoint defenses, Salat Stealer employs process masquerading by renaming its threads to mimic trusted Windows processes. It leverages registry run keys and scheduled tasks to achieve persistence, ensuring execution upon system reboot or user logon. The binary rotates through multiple fallback domains for command and control connectivity, thwarting simple domain-blocking measures. Behavioral heuristics are defeated by delaying execution and mixing legitimate API calls with malicious operations, effectively blending into normal system activity.

4. C2 Infrastructure and Communication Channels

The malware communicates with its command server using both UDP and HTTPS protocols, alternating between encrypted payloads and low-overhead datagrams for real-time updates. A fleet of resilient C2 domains provides redundancy, while WebSocket support in the control panel enables live interaction with compromised hosts. Operators can issue remote commands to extract files, manipulate processes, or pivot laterally, all from an intuitive interface that handles session management and data staging automatically.

5. The Malware-as-a-Service Ecosystem

Salat Stealer is offered under a subscription model to Russian-speaking threat actors, complete with support channels and regular updates. Clients gain access to a centralized panel where they can customize exfiltration targets, deploy campaigns, and monitor stolen credentials in real time. This MaaS approach lowers the technical barrier for entry, enabling novice actors to launch sophisticated operations without deep coding expertise. The service leverages modular pricing, charging extra for advanced features such as Telegram session hijacking or custom plugin development.

6. Targeted Data and Operational Impact

The stealer focuses on browser credentials from Chrome, Firefox, Edge, and other Chromium-based browsers, as well as private keys from popular cryptocurrency wallets. Session cookies for messaging apps like Telegram are also extracted, allowing persistent account takeover long after initial compromise. The financial impact can be severe, with stolen funds and identity information paving the way for money laundering, account takeover fraud, and further distribution of malware within enterprise networks.

7. Mitigation and Defense Strategies

Organizations can reduce risk by enforcing application whitelisting, ensuring binaries are signed and verified before execution. Network monitoring should flag unusual UDP traffic and repeated HTTPS connections to untrusted domains. Regularly auditing registry run keys and scheduled tasks will help identify persistence mechanisms early. Finally, user education to recognize phishing attempts combined with endpoint detection solutions fine-tuned for Go-based malware will form the backbone of a comprehensive defense against Salat Stealer.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure