SilabRAT, What's Your Power?
SilabRAT is a Remote Access Trojan (RAT) offered as Malware-as-a-Service on dark web forums since late 2025. Developed by the threat actor o1oo1 and sold for $5,000 monthly, it targets credential theft and cryptocurrency operations. The malware includes features such as Hidden Virtual Network Computing (HVNC) for stealthy remote control, browser profile cloning to bypass session protections, session hijacking, keylogging, clipboard monitoring, and remote desktop capabilities. It bypasses Chrome App-Bound Encryption and uses ChaCha20-Poly1305 encryption for command-and-control communications. SilabRAT is distributed via phishing and ClickFix campaigns and is supported by a companion crypter service called AsmCrypt, which aids in evasion and execution.
AI Analysis
Technical Summary
SilabRAT is an advanced financially motivated Remote Access Trojan marketed as Malware-as-a-Service since late 2025 by the threat actor o1oo1. It focuses on stealing credentials and compromising cryptocurrency wallets through automated password cracking. Key technical capabilities include Hidden Virtual Network Computing (HVNC) for invisible remote control, browser profile cloning to evade session protections, bypassing Chrome App-Bound Encryption, session hijacking, keylogging, clipboard monitoring, and remote desktop control. The malware uses ChaCha20-Poly1305 encryption to secure its command-and-control traffic. Distribution occurs primarily through phishing and ClickFix campaigns, with infrastructure hosted by operators. The developer also offers AsmCrypt, a crypter service that complements SilabRAT by providing evasion and execution capabilities, forming a comprehensive malware bundle.
Potential Impact
SilabRAT enables attackers to gain persistent, stealthy remote access to infected systems, facilitating credential theft and unauthorized access to cryptocurrency wallets. Its ability to bypass Chrome App-Bound Encryption and perform session hijacking increases the risk of account compromise and unauthorized transactions. Keylogging and clipboard monitoring further expose sensitive information. The malware's encrypted communications and evasion techniques complicate detection and response efforts. Financial losses and data breaches are the primary impacts associated with infections.
Mitigation Recommendations
There is no specific patch or official fix available for SilabRAT as it is malware rather than a software vulnerability. Mitigation should focus on preventing infection vectors such as phishing and ClickFix campaigns through user awareness and email security controls. Employ endpoint detection and response solutions capable of identifying behaviors associated with SilabRAT, including HVNC activity, browser profile cloning, and session hijacking. Network monitoring for known indicators such as the IP 91.199.163.124 and associated file hashes can aid in detection. Use updated anti-malware tools and consider blocking or monitoring traffic encrypted with ChaCha20-Poly1305 if suspicious. Since this is a malware-as-a-service offering, maintaining strong credential hygiene and multi-factor authentication can reduce impact.
Indicators of Compromise
- ip: 91.199.163.124
- hash: 3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b
- hash: 79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5
- hash: fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623
- hash: fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023
SilabRAT, What's Your Power?
Description
SilabRAT is a Remote Access Trojan (RAT) offered as Malware-as-a-Service on dark web forums since late 2025. Developed by the threat actor o1oo1 and sold for $5,000 monthly, it targets credential theft and cryptocurrency operations. The malware includes features such as Hidden Virtual Network Computing (HVNC) for stealthy remote control, browser profile cloning to bypass session protections, session hijacking, keylogging, clipboard monitoring, and remote desktop capabilities. It bypasses Chrome App-Bound Encryption and uses ChaCha20-Poly1305 encryption for command-and-control communications. SilabRAT is distributed via phishing and ClickFix campaigns and is supported by a companion crypter service called AsmCrypt, which aids in evasion and execution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SilabRAT is an advanced financially motivated Remote Access Trojan marketed as Malware-as-a-Service since late 2025 by the threat actor o1oo1. It focuses on stealing credentials and compromising cryptocurrency wallets through automated password cracking. Key technical capabilities include Hidden Virtual Network Computing (HVNC) for invisible remote control, browser profile cloning to evade session protections, bypassing Chrome App-Bound Encryption, session hijacking, keylogging, clipboard monitoring, and remote desktop control. The malware uses ChaCha20-Poly1305 encryption to secure its command-and-control traffic. Distribution occurs primarily through phishing and ClickFix campaigns, with infrastructure hosted by operators. The developer also offers AsmCrypt, a crypter service that complements SilabRAT by providing evasion and execution capabilities, forming a comprehensive malware bundle.
Potential Impact
SilabRAT enables attackers to gain persistent, stealthy remote access to infected systems, facilitating credential theft and unauthorized access to cryptocurrency wallets. Its ability to bypass Chrome App-Bound Encryption and perform session hijacking increases the risk of account compromise and unauthorized transactions. Keylogging and clipboard monitoring further expose sensitive information. The malware's encrypted communications and evasion techniques complicate detection and response efforts. Financial losses and data breaches are the primary impacts associated with infections.
Mitigation Recommendations
There is no specific patch or official fix available for SilabRAT as it is malware rather than a software vulnerability. Mitigation should focus on preventing infection vectors such as phishing and ClickFix campaigns through user awareness and email security controls. Employ endpoint detection and response solutions capable of identifying behaviors associated with SilabRAT, including HVNC activity, browser profile cloning, and session hijacking. Network monitoring for known indicators such as the IP 91.199.163.124 and associated file hashes can aid in detection. Use updated anti-malware tools and consider blocking or monitoring traffic encrypted with ChaCha20-Poly1305 if suspicious. Since this is a malware-as-a-service offering, maintaining strong credential hygiene and multi-factor authentication can reduce impact.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/"]
- Adversary
- o1oo1
- Pulse Id
- 6a2951665d658e753b489765
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip91.199.163.124 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b | — | |
hash79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5 | — | |
hashfb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623 | — | |
hashfbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023 | — |
Threat ID: 6a296ba0c9170919df245c12
Added to database: 6/10/2026, 1:50:24 PM
Last enriched: 6/10/2026, 2:03:22 PM
Last updated: 6/10/2026, 4:12:02 PM
Views: 36
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.