Cybersecurity researchers at CYFIRMA have identified a sophisticated Go-based infostealer, known as Salat Stealer (also referred to as WEB_RAT), that utilizes an advanced command-and-control infrastructure to extract sensitive data from Windows systems.
The malware demonstrates particular proficiency in exfiltrating browser credentials, cryptocurrency wallet information, and session data while utilizing multiple evasion techniques to avoid detection.
The analyzed sample (MD5: 276ff69704019d7b8491059ea9445a81) exhibits a high entropy value of 7.999, indicating strong obfuscation through UPX version 4.1.0 packing.
Upon execution, the 3.14 MB executable deploys multiple persistence mechanisms, including registry Run key entries and scheduled task creation under deceptive names such as Lightshot, Procmon, and RuntimeBroker to mimic legitimate system processes.
Multi-Browser Credential Harvesting Campaign
Salat Stealer demonstrates comprehensive browser targeting capabilities, accessing SQLite databases from Google Chrome, Microsoft Edge, ChromePlus, 360Browser, Sputnik, Opera, Opera GX, Thorium, and Brave browsers.
The malware targets the Web Data files containing stored usernames, passwords, and autofill information from these platforms explicitly. Beyond traditional browser data theft, the stealer focuses extensively on cryptocurrency assets.
It targets both standalone wallet applications, including Coinomi, MyMonero, Armory, Ethereum Wallet, Atomic Wallet, Exodus, ZCash, Guarda, and Electrum, as well as browser extension-based wallets such as MetaMask, Trust Wallet, Coinbase Wallet Extension, Rabby Wallet, Phantom, Nami Wallet, Binance Web3 Wallet, and TronLink.
The malware also performs session hijacking on Telegram and Steam by accessing the data folder and querying relevant registry keys to extract session information. Stolen data is temporarily stored in the Temp directory using random numeric filenames without extensions to avoid suspicion.
Resilient Command-and-Control Operations
Salat Stealer maintains communication with its C2 infrastructure through the UDP protocol, sending 45-byte packets to the IP address 104.21.80.1 for keep-alive functionality.
The malware establishes encrypted HTTPS connections to salat.cn, explicitly targeting the /sa1at endpoint, which triggers Cloudflare phishing warnings.
The threat actors implement a robust failover system with multiple hardcoded domains, including posholnahuy.ru, pidorasina.ru, and webr. At, and webrat. In. The control panel automatically checks domain availability through /alive.php endpoints and redirects to functional alternatives, ensuring persistent access even during takedowns.
Operating under a Malware-as-a-Service model, Russian-speaking actors affiliated with NyashTeam and Kapchenka offer WebRat subscriptions for 1,199 rubles monthly, with hosting services priced at 999 rubles for two months.
The platform includes real-time WebSocket communication, remote PowerShell execution capabilities, and predefined scripts for Windows Defender exclusion manipulation, UAC disabling, and recovery environment disabling.
Organizations should implement advanced endpoint detection solutions, network traffic monitoring, and user awareness training to defend against this evolving threat landscape.
List of IoCs:
| No | Indicator | Remarks |
| 1. | 8b94f5fa94f35e5ba47ce260b009b34401c5c54042d7b7252c8c7d13bf8d9f05 | Block |
| 2. | http[:]//62[.]109[.]0[.]189/login/ | |
| 3. | http://nyash[.]team/ | Block |
| 4. | 552e1c2ed502f652d5cd1c70fee7a81d0269d1ad6db96ad21344ff4e1e3620d5 | Block |
| 5. | Salat[.]cn | Block |
| 6. | Posholnahuy[.]ru | Block |
| 7 | Pidorasina[.]ru | Block |
| 8. | Webr[.]at | Block |
| 9. | Webrat[.]su | Block |
| 10. | Webrat[.]in | Block |
| 11. | Webrat[.]top | Block |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
