| |

Salat Stealer: Advanced C2 Infrastructure for Exfiltrating Browser Credentials

ByAdmin

Salat Stealer has emerged as a significant threat targeting Windows endpoints, primarily focusing on harvesting browser-stored credentials and cryptocurrency wallet data. First detected in August 2025, this Go-based infostealer employs various evasion tactics, including UPX packing and process masquerading, to bypass conventional security measures. Its operators promote the malware through social engineering campaigns on mainstream platforms, advertising fake software cracks and game cheats that deliver the initial payload. Upon execution, Salat Stealer discreetly injects itself into trusted directories under names such as Lightshot.exe and Procmon.exe, effectively blending in with legitimate processes to avoid detection. Researchers from Cyfirma identified the malware’s multi-layered approach shortly after its initial sightings, noting its use of registry run keys and scheduled tasks to maintain persistence. The malware creates entries under names like RuntimeBroker and Lightshot, which execute at logon and repeat every three minutes for an extended duration.

The binary, packed with UPX 4.1.0, features a high entropy value of 7.999, concealing its true behaviour until runtime. Dynamic analysis revealed that child processes spawn under familiar file paths, such as C:Program Files (x86)Windows NTLightshot.exe, complicating detection by endpoint agents. Cyfirma analysts observed that Salat Stealer’s communication with its command-and-control (C2) infrastructure is both resilient and covert. Initial contact occurs through lightweight UDP packets of approximately 45 bytes sent to IP 104.21.80.1, likely serving as keep-alive beacons. Concurrently, the stealer establishes an encrypted HTTPS channel to salat.cn/salat, with DNS resolutions pointing to 172.67.194.254 and 104.21.60.88. If the primary domain becomes unreachable, a built-in JavaScript routine retrieves a list of fallback domains—such as ‘webrat.in’ and ‘webrat.top’—from sniff_domain_list.txt, iterating through each via calls to /alive.php until it finds an active panel for redirection. The impact of Salat Stealer extends beyond mere credential theft, as it also targets browser extensions for cryptocurrency wallets like MetaMask, Trust Wallet, and Phantom. By scanning the Chrome extension settings directory, the malware extracts seed phrases and private keys, exposing users to the risk of irreversible financial loss. A similar method applied to desktop wallet applications—including Electrum, Exodus, and Coinomi—enables the stealer to harvest wallet databases and configuration files. All exfiltrated data is temporarily stored in the Temp folder under randomised filenames before being transmitted to the C2 panel. Salat Stealer’s infection chain begins with a social engineering lure that persuades the victim to execute a malicious archive. Upon launch, the executable unpacks itself, initiating the malware’s malicious activities. 

Categories: Malware Threats, Credential Theft, Evasion Techniques 

Tags: Salat Stealer, Windows Endpoints, Browser Credentials, Cryptocurrency Wallets, Social Engineering, Evasion Tactics, Command-and-Control, Persistence Mechanisms, Malware, Dynamic Analysis 

Similar Posts

Weekly Cybersecurity News Roundup: Key Security Updates from Microsoft, Cisco, and Fortinet, Plus Recent Cyber Attack Insights Stay informed with our latest weekly recap of cybersecurity news, featuring essential security updates from industry leaders Microsoft, Cisco, and Fortinet. We also delve into recent cyber attacks, providing insights into emerging threats and vulnerabilities. Don’t miss out on crucial information that can help safeguard your digital assets!

Leave a Reply

Your email address will not be published. Required fields are marked *