Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Bundled to Steal: The Salat Stealer Campaign

0
Medium
Published: 07/06/2026 (07/06/2026, 23:30:03 UTC)
Source: AlienVault OTX General

Description

Salat Stealer is a Go-based information stealer malware that performs extensive system reconnaissance and extracts sensitive data such as browser credentials, cryptocurrency wallets, and communication platform data from Discord and Steam. It includes advanced surveillance features like desktop streaming and audio/video capture via microphone and webcam. The malware is distributed notably by bundling with Xeno Executor, a gaming utility tool, enabling full system compromise. It uses sophisticated evasion techniques including disabling Windows Defender via PowerShell scripts, persistence through registry run keys, and token impersonation of lsass.exe for privilege escalation. Deployment is obfuscated using batch script and Rust-based loaders.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/07/2026, 14:28:24 UTC

Technical Analysis

Salat Stealer is a malware written in Go that targets sensitive user data including browser credentials, cryptocurrency wallets, and communication platforms such as Discord and Steam. It performs deep system reconnaissance and supports advanced surveillance capabilities like desktop streaming and audio/video capture. The malware is distributed through campaigns bundling it with Xeno Executor, a gaming utility, thereby creating a full compromise vector. It employs multiple evasion techniques, including disabling Windows Defender features using PowerShell scripts, establishing persistence via registry run keys, and impersonating the lsass.exe token to gain elevated privileges. Loaders written in batch script and Rust further obfuscate the malware's deployment and help it bypass security controls. There is no known CVE or patch available, and no known exploits in the wild have been reported. The campaign and malware are documented by AlienVault and Splunk.

Potential Impact

The malware can lead to significant data theft including browser credentials, cryptocurrency wallets, and communication platform data, potentially resulting in account compromise and financial loss. Its advanced surveillance capabilities allow attackers to monitor victims through desktop streaming and audio/video capture, increasing privacy violations. The use of evasion and persistence techniques complicates detection and removal, potentially allowing long-term unauthorized access and control over infected systems.

Mitigation Recommendations

No official patch or fix is available as this is malware rather than a software vulnerability. Mitigation focuses on detection and prevention: avoid downloading or running untrusted software, especially gaming utilities like Xeno Executor from unofficial sources. Employ updated endpoint protection solutions capable of detecting PowerShell script abuses and suspicious token impersonation. Monitor for persistence mechanisms such as unusual registry run keys. Regularly update Windows Defender and other security tools to leverage latest detection capabilities. Since the malware disables Windows Defender features, consider layered security controls and behavioral monitoring to detect anomalous activities. Refer to vendor advisories and threat intelligence sources for updated detection signatures and indicators of compromise.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.splunk.com/en_us/blog/security/bundled-to-steal-salat-stealer-campaign.html"]
Adversary
null
Pulse Id
6a4c3a7bc1e7623521754884
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271
hash075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde
hash7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd
hashd6c7ca66c4fef2bf7c62261f58f2f6ab
hash7e6f8597028e4dc2ff63ed330f989fe9dbca3093
hash347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff
hash742be0bf09856460bc85f9674d6914c7
hash3711d405a68a926f73df57c886845a1c7928b778
hash7018dc48efdf1311d644225e3c9e5f8f6d49863dbaca315f16d25473f127978d
hashfec793499d9df0458b611a71dda23b41ba1c28038a79924ab606937e26e77115

Domain

ValueDescriptionCopy
domainxenoexecutor.in

Threat ID: 6a4d09cec9d9e3dbe34881f2

Added to database: 07/07/2026, 14:14:38 UTC

Last enriched: 07/07/2026, 14:28:24 UTC

Last updated: 07/08/2026, 00:12:43 UTC

Views: 27

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses