Bundled to Steal: The Salat Stealer Campaign
Salat Stealer is a Go-based information stealer malware that performs extensive system reconnaissance and extracts sensitive data such as browser credentials, cryptocurrency wallets, and communication platform data from Discord and Steam. It includes advanced surveillance features like desktop streaming and audio/video capture via microphone and webcam. The malware is distributed notably by bundling with Xeno Executor, a gaming utility tool, enabling full system compromise. It uses sophisticated evasion techniques including disabling Windows Defender via PowerShell scripts, persistence through registry run keys, and token impersonation of lsass.exe for privilege escalation. Deployment is obfuscated using batch script and Rust-based loaders.
AI Analysis
Technical Summary
Salat Stealer is a malware written in Go that targets sensitive user data including browser credentials, cryptocurrency wallets, and communication platforms such as Discord and Steam. It performs deep system reconnaissance and supports advanced surveillance capabilities like desktop streaming and audio/video capture. The malware is distributed through campaigns bundling it with Xeno Executor, a gaming utility, thereby creating a full compromise vector. It employs multiple evasion techniques, including disabling Windows Defender features using PowerShell scripts, establishing persistence via registry run keys, and impersonating the lsass.exe token to gain elevated privileges. Loaders written in batch script and Rust further obfuscate the malware's deployment and help it bypass security controls. There is no known CVE or patch available, and no known exploits in the wild have been reported. The campaign and malware are documented by AlienVault and Splunk.
Potential Impact
The malware can lead to significant data theft including browser credentials, cryptocurrency wallets, and communication platform data, potentially resulting in account compromise and financial loss. Its advanced surveillance capabilities allow attackers to monitor victims through desktop streaming and audio/video capture, increasing privacy violations. The use of evasion and persistence techniques complicates detection and removal, potentially allowing long-term unauthorized access and control over infected systems.
Mitigation Recommendations
No official patch or fix is available as this is malware rather than a software vulnerability. Mitigation focuses on detection and prevention: avoid downloading or running untrusted software, especially gaming utilities like Xeno Executor from unofficial sources. Employ updated endpoint protection solutions capable of detecting PowerShell script abuses and suspicious token impersonation. Monitor for persistence mechanisms such as unusual registry run keys. Regularly update Windows Defender and other security tools to leverage latest detection capabilities. Since the malware disables Windows Defender features, consider layered security controls and behavioral monitoring to detect anomalous activities. Refer to vendor advisories and threat intelligence sources for updated detection signatures and indicators of compromise.
Indicators of Compromise
- hash: 60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271
- hash: 075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde
- hash: 7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd
- hash: d6c7ca66c4fef2bf7c62261f58f2f6ab
- hash: 7e6f8597028e4dc2ff63ed330f989fe9dbca3093
- hash: 347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff
- hash: 742be0bf09856460bc85f9674d6914c7
- hash: 3711d405a68a926f73df57c886845a1c7928b778
- hash: 7018dc48efdf1311d644225e3c9e5f8f6d49863dbaca315f16d25473f127978d
- hash: fec793499d9df0458b611a71dda23b41ba1c28038a79924ab606937e26e77115
- domain: xenoexecutor.in
Bundled to Steal: The Salat Stealer Campaign
Description
Salat Stealer is a Go-based information stealer malware that performs extensive system reconnaissance and extracts sensitive data such as browser credentials, cryptocurrency wallets, and communication platform data from Discord and Steam. It includes advanced surveillance features like desktop streaming and audio/video capture via microphone and webcam. The malware is distributed notably by bundling with Xeno Executor, a gaming utility tool, enabling full system compromise. It uses sophisticated evasion techniques including disabling Windows Defender via PowerShell scripts, persistence through registry run keys, and token impersonation of lsass.exe for privilege escalation. Deployment is obfuscated using batch script and Rust-based loaders.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Salat Stealer is a malware written in Go that targets sensitive user data including browser credentials, cryptocurrency wallets, and communication platforms such as Discord and Steam. It performs deep system reconnaissance and supports advanced surveillance capabilities like desktop streaming and audio/video capture. The malware is distributed through campaigns bundling it with Xeno Executor, a gaming utility, thereby creating a full compromise vector. It employs multiple evasion techniques, including disabling Windows Defender features using PowerShell scripts, establishing persistence via registry run keys, and impersonating the lsass.exe token to gain elevated privileges. Loaders written in batch script and Rust further obfuscate the malware's deployment and help it bypass security controls. There is no known CVE or patch available, and no known exploits in the wild have been reported. The campaign and malware are documented by AlienVault and Splunk.
Potential Impact
The malware can lead to significant data theft including browser credentials, cryptocurrency wallets, and communication platform data, potentially resulting in account compromise and financial loss. Its advanced surveillance capabilities allow attackers to monitor victims through desktop streaming and audio/video capture, increasing privacy violations. The use of evasion and persistence techniques complicates detection and removal, potentially allowing long-term unauthorized access and control over infected systems.
Mitigation Recommendations
No official patch or fix is available as this is malware rather than a software vulnerability. Mitigation focuses on detection and prevention: avoid downloading or running untrusted software, especially gaming utilities like Xeno Executor from unofficial sources. Employ updated endpoint protection solutions capable of detecting PowerShell script abuses and suspicious token impersonation. Monitor for persistence mechanisms such as unusual registry run keys. Regularly update Windows Defender and other security tools to leverage latest detection capabilities. Since the malware disables Windows Defender features, consider layered security controls and behavioral monitoring to detect anomalous activities. Refer to vendor advisories and threat intelligence sources for updated detection signatures and indicators of compromise.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.splunk.com/en_us/blog/security/bundled-to-steal-salat-stealer-campaign.html"]
- Adversary
- null
- Pulse Id
- 6a4c3a7bc1e7623521754884
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271 | — | |
hash075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde | — | |
hash7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd | — | |
hashd6c7ca66c4fef2bf7c62261f58f2f6ab | — | |
hash7e6f8597028e4dc2ff63ed330f989fe9dbca3093 | — | |
hash347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff | — | |
hash742be0bf09856460bc85f9674d6914c7 | — | |
hash3711d405a68a926f73df57c886845a1c7928b778 | — | |
hash7018dc48efdf1311d644225e3c9e5f8f6d49863dbaca315f16d25473f127978d | — | |
hashfec793499d9df0458b611a71dda23b41ba1c28038a79924ab606937e26e77115 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainxenoexecutor.in | — |
Threat ID: 6a4d09cec9d9e3dbe34881f2
Added to database: 07/07/2026, 14:14:38 UTC
Last enriched: 07/07/2026, 14:28:24 UTC
Last updated: 07/08/2026, 00:12:43 UTC
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.