NyashTeam

NyashTeam is a Russian-speaking malware-as-a-service (MaaS) operator active since approximately 2022. The group is associated with the NyashTeam / WebRat brand and is described as selling remote access trojans and stealer malware, including WebRAT (also referred to in reporting as SalatStealer) and DCRat (DarkCrystal RAT), via Telegram bots and websites. Reporting also describes NyashTeam as offering custom-made malware and server hosting to Russian-speaking cybercriminals. NyashTeam is linked to the operation and sale of SalatStealer/WebRAT, a Go-based malware family that combines RAT and infostealer functionality. Reported capabilities include theft of browser credentials and cookies, cryptocurrency wallet data, Telegram Desktop data, Discord tokens, Steam data, clipboard monitoring, keylogging, screen/webcam/microphone capture, remote shell access, SOCKS5 proxying, persistence, task scheduling, privilege escalation, and LSASS targeting. SalatStealer/WebRAT has been reported to use encrypted configuration, DNS-over-HTTPS and TON DNS-based C2 resolution, and WebSocket over TLS with QUIC/HTTP3 for exfiltration. The group’s operator portal was reported at nyash[.]team, advertising itself as the "OFFICIAL WebRat reseller." Sales and support were conducted through Telegram bots including @nyash_team_bot and @nyashsupbot. Infrastructure linked in reporting includes domains such as nyash[.]team, webrat[.]ru, webrat[.]top, wrat[.]in, salat[.]cn, and sa1at[.]ru, with Russian-hosted infrastructure in Moscow, Rostov-na-Donu, and Saint Petersburg also described. CERT-F6/F6 reportedly disrupted more than 110 NyashTeam domains in July 2025, but subsequent reporting states the group rebuilt infrastructure within months. Known aliases and associated branding directly mentioned in the content include WebRat and NyashTeam / WebRat.