Salat Stealer is a sophisticated information-stealing malware written in the Go programming language, targeting Windows operating systems. It is designed to exfiltrate sensitive data such as browser credentials, cryptocurrency wallet information, and session data from applications like Telegram. The malware employs advanced evasion and persistence techniques to maintain long-term presence on infected systems. These techniques include UPX packing to obfuscate its binary, process masquerading to disguise its execution, and the use of registry run keys and scheduled tasks (T1053.005) to ensure persistence across reboots. Salat Stealer operates under a Malware-as-a-Service (MaaS) model, primarily run by Russian-speaking threat actors known as NyashTeam and Kapchenka, which allows multiple affiliates to deploy the malware with a resilient command and control (C2) infrastructure. The C2 communication uses both UDP and HTTPS protocols, with fallback domains to maintain connectivity and avoid disruption. The control panel for the malware supports real-time interaction via WebSockets, enabling remote command execution and system manipulation, effectively functioning as a web-based remote access trojan (web RAT). The malware targets multiple popular browsers and cryptocurrency wallets, leveraging techniques such as credential dumping (T1003), token manipulation (T1555.005), and evasion tactics (T1562.001, T1564.003). Indicators of compromise include multiple hashes and domains associated with the malware’s infrastructure, such as nyash.team and salat.cn. Despite no known exploits in the wild at the time of reporting, the malware’s capabilities and MaaS model suggest a high potential for widespread abuse and targeted attacks.

For European organizations, Salat Stealer poses a significant threat due to its ability to steal browser credentials and cryptocurrency wallet data, which could lead to financial losses, unauthorized access to corporate accounts, and compromise of sensitive communications (e.g., Telegram sessions). The malware’s persistence and evasion techniques make detection and removal challenging, increasing the risk of prolonged data exfiltration and lateral movement within networks. Organizations involved in financial services, cryptocurrency trading, and sectors relying heavily on web-based applications are particularly vulnerable. The MaaS model lowers the barrier for cybercriminals to deploy this malware, potentially increasing attack volume. Additionally, the use of resilient C2 infrastructure with fallback domains complicates takedown efforts and incident response. The real-time remote control capabilities allow attackers to execute arbitrary commands, potentially leading to further compromise, data destruction, or ransomware deployment. The threat is exacerbated by the malware’s targeting of Windows systems, which remain prevalent in European enterprises and government agencies.

European organizations should implement multi-layered defenses tailored to detect and prevent Salat Stealer infections. Specific recommendations include: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying UPX-packed binaries, process masquerading, and suspicious registry run key modifications. 2) Monitor scheduled tasks for unauthorized creations or modifications, especially those linked to persistence techniques (T1053.005). 3) Implement network monitoring to detect unusual UDP and HTTPS traffic patterns, particularly connections to known malicious domains such as nyash.team and salat.cn, and block these at the firewall or DNS level. 4) Use threat intelligence feeds to update detection signatures with the provided hashes and domains. 5) Enforce strict credential hygiene, including multi-factor authentication (MFA) for browser-based and cryptocurrency wallet access to mitigate stolen credential misuse. 6) Regularly audit and restrict permissions for registry and scheduled task modifications to limit malware persistence capabilities. 7) Educate users about phishing and social engineering tactics that may be used to deliver the malware. 8) Conduct regular backups and maintain incident response plans that include procedures for malware removal and system restoration. 9) Employ application whitelisting to prevent unauthorized execution of unknown binaries. 10) Collaborate with cybersecurity communities to share indicators of compromise and stay updated on evolving threat actor tactics.