The Go-based tool, also tracked as WEB_RAT, combines the functions of an infostealer and a Remote Access Trojan. Its operators can harvest browser passwords, cookies, Telegram sessions, cryptocurrency wallet data and system details, while also opening remote shells, logging keystrokes, watching the clipboard, streaming desktop activity and accessing webcams. The addition of SOCKS5 pivoting gives attackers a way to route follow-on activity through compromised machines, raising the risk for corporate networks where one infected endpoint can become a bridge into wider systems.
Fresh technical analysis shows Salat Stealer is using WebSocket and HTTP/3 over QUIC for command-and-control traffic, allowing its communications to blend into modern web activity. That shift matters because many corporate detection tools still focus on older HTTP polling patterns, suspicious domains or known malware beacons. QUIC, which relies on UDP and encryption by design, can reduce the visibility defenders normally obtain from traffic inspection unless endpoint and network telemetry are carefully correlated.
Salat Stealer was first observed in August 2025 and has since been documented in multiple samples targeting Windows users. It is commonly distributed as a UPX-packed executable, a compression technique often used by attackers to complicate static analysis. Once executed, the malware may disguise itself under names resembling legitimate processes, including explorer. exe, svchost. exe, lsass. exe, Lightshot. exe and Procmon. exe. That naming strategy is intended to delay manual detection during incident triage.
Persistence is achieved through registry Run key entries and scheduled tasks, enabling the malware to restart after reboot or user logon. Some samples copy themselves into trusted-looking directories, including paths under Program Files or browser-related folders. The malware has also been linked with attempts to manipulate Windows Defender exclusions, helping it remain active while harvested data is staged and transferred.
The most sensitive targets include browser credential stores and cryptocurrency wallet extensions such as MetaMask, Trust Wallet, Phantom and other wallet tools used inside Chromium-based browsers. For victims, theft of wallet seed phrases or private keys can mean irreversible losses, as blockchain transactions are difficult to recover once assets are moved. For companies, stolen session tokens and browser cookies can bypass some login protections and allow attackers to impersonate users even where passwords are changed quickly.
Salat Stealer’s surveillance features make it more intrusive than many commodity stealers. Keylogging captures credentials and messages that may never be saved in browsers. Clipboard theft can intercept wallet addresses or one-time passcodes copied by users. Webcam and desktop streaming give operators live intelligence on victim behaviour, documents and work environments. These capabilities place the malware closer to a post-exploitation toolkit than a simple grab-and-run stealer.
The malware-as-a-service model has widened access to such tools. Salat Stealer has been associated with Russian-speaking cybercrime communities, though no public evidence firmly ties it to a state-backed group. Its availability to lower-skilled actors increases the number of potential campaigns, while more experienced operators can use it as a foothold for fraud, data theft, extortion or lateral movement.
Initial infection routes appear to rely heavily on social engineering. Fake software cracks, game cheats, pirated tools and malicious archives remain common delivery methods for stealers because they persuade users to disable security warnings or run unsigned files. The same pattern has been seen across the wider infostealer ecosystem, where attackers exploit demand for free software and gaming utilities to reach personal and work devices.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
