Salat Stealer: A New Go-Based MaaS Is Hijacking Browsers and Crypto Wallets

CYFIRMA has released an in-depth analysis of Salat Stealer (also known as WEB_RAT), a sophisticated Go-based malware targeting Windows systems, operated under a Malware-as-a-Service (MaaS) model.

CYFIRMA warns that “Salat Stealer (also known as WEB_RAT) is a sophisticated Go-based infostealer targeting Windows systems. The malware exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques, including UPX packing, process masquerading, registry run keys, and scheduled tasks.”

The stealer has been traced back to Russian-speaking operators linked to NyashTeam and Kapchenka, who are commercializing the malware through structured MaaS offerings.

The malware uses several stealth and persistence techniques:

• Process masquerading: disguises itself as trusted applications like Lightshot.exe or RuntimeBroker.exe.
• Registry and Task Scheduler persistence: creates Run keys and scheduled tasks repeating every 3 minutes to ensure longevity.
• UPX packing: obfuscates the binary to bypass static detection.
• Defender evasion: modifies Windows Defender exclusions to remain undetected.

It aggressively targets data sources including:

• Web browsers: Chrome, Edge, Opera, Brave, 360Browser, Sputnik, Thorium, and more.
• Cryptocurrency wallets: Coinomi, Exodus, Atomic Wallet, MyMonero, Guarda, Electrum, and others.
• Browser wallet extensions: MetaMask, Trust Wallet, Coinbase Wallet, Rabby, Phantom, Nami, Binance Web3, TronLink.
• Messaging platforms: Telegram session hijacking.
• Gaming platforms: Steam session hijacking.

The stealer maintains communication with its C2 infrastructure using UDP traffic and encrypted HTTPS connections to salat.cn/sa1at, a domain already flagged as “suspected phishing.” The control panel, identified as WebRat, allows real-time attacker interaction via WebSockets and supports remote PowerShell execution.

The report notes: “Threat actors behind the stealer openly display their Telegram contact information within the control panel… They offer subscription-based access to the stealer through a key activation system, and list official resellers authorized to distribute it.”

Fallback domains such as webrat.in, webrat.ru, webrat.su, and posholnahuy.ru ensure continuity even if primary infrastructure is taken offline.

CYFIRMA’s analysis highlights how Salat Stealer exemplifies the professionalization of cybercrime ecosystems.

• Monthly subscriptions for WebRat start as low as 1,199 rubles.
• Hosting services are sold for 999 rubles for two months.
• Payments are accepted through cryptocurrency, Russian payment services, and even Steam Skins.

The report emphasizes: “Subscriptions to these tools are deliberately priced at low rates, making them affordable to less-skilled cybercriminals. This pricing strategy significantly widens the threat landscape.”

Distribution relies heavily on social engineering: fake YouTube accounts, cracked software archives, and compromised open-source repositories spread malware-laced downloads to unsuspecting victims.

With high confidence, CYFIRMA attributes operations to Russian-speaking cybercriminals tied to NyashTeam and Kapchenka. The malware is part of a broader MaaS ecosystem offering RATs, stealers, and other malicious tools to a wide pool of buyers.

As the report concludes: “Salat Stealer exemplifies the growing sophistication of Malware-as-a-Service ecosystems, blending advanced persistence, evasion, and data theft techniques with resilient C2 operations.”

Related Posts:

• Key Group Ransomware: A Growing Threat Using Off-the-Shelf Tools
• Evolving Cybercrime: Inside the Russian-Speaking Underground
• APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
• Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
• Information Stealer Alert: Lumma Strikes Again with Go-Based Injector