SilabRAT Malware: The $5,000-a-Month Crypto-Hunting RAT Hiding Behind HijackLoader

A new commercial remote access trojan called SilabRAT is making waves on the cybercrime underground. Also known as SnappyClient, this SilabRAT malware is sold as a subscription service and built to drain cryptocurrency wallets. Security firm Group-IB has now pulled back the curtain on how it works.

Sold as a service for $5,000 a month

SilabRAT first surfaced on dark web forums in late 2025. Since then, criminals have marketed it as Malware-as-a-Service across Russian-language forums such as Exploit, XSS, and WWH. It even appeared on the ransomware-focused RAMP forum before the FBI dismantled that site in January 2026.

The price tag is steep. Buyers pay $5,000 per month to run their own campaigns, while the developer handles updates and infrastructure. Notably, each customer hosts their own command-and-control server. As a result, the seller never touches victim data. Customers can even spin up limited-access mirrors of their panel, letting affiliates tap into live victim sessions at the same time.

The person behind the tool uses the handle “o1oo1.” According to Group-IB, this Russian-speaking developer has operated in underground forums since late 2020. Over time, o1oo1 graduated from selling SMTP credentials to building malware. The developer also runs a separate crypter service, AsmCrypt, and bundles the two tools at a discount.

Why antivirus calls it HijackLoader

Many security engines flag SilabRAT samples as HijackLoader. However, that label only describes the packer, not the payload itself. In practice, this leaves the real malware unclassified and harder to track.

The infection chain varies because each buyer runs their own campaign. Still, Group-IB observed SilabRAT spreading through email spam and ClickFix social engineering. Victims usually meet a ClickFix prompt through phishing, malicious ads, or compromised websites. Worryingly, one criminal bragged that “more than 90% of infected machines stayed online throughout a month-long campaign.”

A toolkit built for crypto theft

At its core, this SilabRAT malware is designed to monetize access fast. The web panel gives operators a live view of every infected machine. From there, they can launch stealers, log keystrokes, watch the clipboard, or push more payloads. It also offers a TightVNC-based remote desktop for direct, hands-on control.

The standout feature is crypto-focused. An “AutoWallet” module runs in the background and tries to crack passwords on any cryptocurrency wallets it finds. It reuses passwords harvested from the victim’s browser to unlock encrypted wallets. Therefore, operators need no external cracking tools.

SilabRAT also tackles modern browser defenses. It bypasses Chrome’s App-Bound Encryption, a protection meant to lock browser secrets to the legitimate Chrome process. Beyond that, it can clone a victim’s entire browser profile to defeat device fingerprinting and IP binding.

Hidden remote control and stealth

Perhaps the most dangerous capability is Hidden Virtual Network Computing, or HVNC. Group-IB notes the technique lets an attacker “invisibly remotely control a compromised machine.” There are no on-screen clues, and the activity comes from the victim’s real device and IP. Consequently, many fraud systems treat the session as legitimate.

The malware leans on session hijacking, too. As Group-IB explains, seizing an active session can bypass passwords and even multi-factor authentication. To stay hidden, SilabRAT tampers with the Anti-Malware Scan Interface and adds anti-forensic tricks. It can also escalate privileges through a known UAC bypass and set up persistence via registry keys or scheduled tasks. Under the hood, it encrypts its traffic with ChaCha20-Poly1305 and compresses it with Snappy, the likely origin of the SnappyClient nickname.

What comes next

SilabRAT is still evolving. Its author has teased plans to inject code into Electron-based apps, including the Ledger and Trezor wallet managers. That move would let attackers tamper directly with crypto management software.

You can read the full Group-IB analysis of SilabRAT for indicators and detection guidance. Above all, the rise of this SilabRAT malware shows how commodity tools now pack advanced evasion and crypto theft into a simple monthly subscription.