Webrat
WebRAT is a backdoor/remote access trojan with information-stealing and spyware capabilities that was first reported in early 2025. It is also referred to as Salat Stealer / SalatStealer in the provided reporting. WebRAT enables remote control of infected Windows systems and can steal data from cryptocurrency wallets and from Telegram, Discord, and Steam accounts. Reported surveillance functions include keylogging, screen recording or screenshot capture, and webcam and microphone monitoring. Reporting also describes it as being distributed as a stealer/RAT through malicious GitHub repositories, pirated software, cracked software, and game cheats for titles including Rust, Counter-Strike, and Roblox.
A prominent 2025 campaign used fake GitHub repositories masquerading as proof-of-concept exploits for recently disclosed vulnerabilities to target infosec enthusiasts, students, and junior security researchers. The repositories used machine-generated or AI-generated-looking descriptions and linked to password-protected ZIP archives. Those archives contained files including a decoy payload.dll, start_exp.bat, and an executable such as rasmanesc.exe (reported MD5: 61b1fc6ab327e6d3ff5fd3e82b430315). The loader was reported to attempt privilege escalation, disable Microsoft Defender, and download the WebRAT payload from hardcoded infrastructure. Reported infrastructure and IOCs include ezc5510min.temp.swtest.ru, shopsleta.ru, and MD5 hashes 28a741e9fcd57bd607255d3a4690c82f, a13c3d863e8e2bd7596bac5d41581f6a, and 61b1fc6ab327e6d3ff5fd3e82b430315.
The malware has been associated in reporting with NyashTeam, which reportedly sold WebRAT and DCRat via Telegram bots and websites under a malware-as-a-service model. Separate reporting also notes strong similarities between WebRAT and later malware families such as CrystalRAT/CrystalX RAT, including similar panel design, Go-based implementation, and bot-based sales infrastructure. Kaspersky detection names cited in the content for WebRAT-related activity include HEUR:Trojan.Python.Agent.gen, HEUR:Trojan-PSW.Win64.Agent.gen, HEUR:Trojan-Banker.Win32.Agent.gen, HEUR:Trojan-PSW.Win32.Coins.gen, HEUR:Trojan-Downloader.Win32.Agent.gen, and PDM:Trojan.Win32.Generic.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
5 techniques
Privilege Escalation
On execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
Stealth
5 techniques
Stealth
The PE sections are labeled UPX0 , UPX1 , UPX2 . But run upx -d and you get NotPackedException: not packed by UPX . The section names are fake -- a social engineering artifact targeting analysts...
“malicious HWP file disguised as a… document” and “abusing the icon of SentinelOne… spoofing it… Rust based implant… acting as a legitimate binary” and “Webrat… disguising itself as cheats… or as cracked software.”
Credential Access
6 techniques
Credential Access
main.NtQuerySystemHandles -- Handle enumeration (LSASS targeting) main.findLsassProcess -- LSASS process location
main.runKeylogger -- Start capture main.keyPressCallback -- SetWindowsHookEx WH_KEYBOARD callback main.windowChangeCallback -- Active window change (context labeling)
Collection hits 34 browsers, 28 crypto wallets, Telegram/Discord/Steam tokens, keylogger with window context, screenshots, and clipboard.
Chromium-based browsers get the full treatment: DPAPI master key decryption, AES-GCM cookie/password decryption...
Discovery
2 techniques
Discovery
Collection
5 techniques
Collection
main.runKeylogger -- Start capture main.keyPressCallback -- SetWindowsHookEx WH_KEYBOARD callback main.windowChangeCallback -- Active window change (context labeling)
Command and Control
7 techniques
Command and Control
The actual C2 connection uses WebSocket over TLS for command-and-control, and QUIC (HTTP/3) for bulk data exfiltration.
Every infected host becomes a SOCKS5 proxy node: main.(*socks5Conn).Serve -- SOCKS5 server ... main.p2pSocks -- P2P SOCKS relay
The actual C2 connection uses WebSocket over TLS for command-and-control, and QUIC (HTTP/3) for bulk data exfiltration.
SalatStealer is not just a stealer -- it is a full RAT ... screen streaming, shell, SOCKS proxy
SalatStealer has been documented before ... The binary imports github.com/xssnick/tonutils-go v1.16.0 and implements two functions: main.tonResolve and main.tryTonResolve.
A tloop function implements a polling loop that periodically re-resolves via TON, meaning the operator can rotate infrastructure mid-campaign and all infected hosts will follow within one polling interval. This is Fast Flux DNS with the blockchain as the authoritative server.
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as malware similar to CrystalRAT; also known as Salat Stealer.
A previously known malware/tool written in Go whose panel layout and sales infrastructure closely resembled early Webcrystal RAT, suggesting CrystalX evolved from or was heavily inspired by it.
Previously known malware whose panel and sales workflow closely resembled CrystalX RAT/Webcrystal RAT; referenced as a likely template or predecessor and also known as Salat Stealer.
WebRAT, also referred to as Salat Stealer, is referenced as a similar malware family sharing panel design, Go-based code, and a bot-based sales system with CrystalRAT.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.