Salat Stealer is a sophisticated information-stealing malware written in the Go programming language, targeting Windows operating systems. It is designed to exfiltrate sensitive user data including browser credentials, cryptocurrency wallet information, and Telegram session data. The malware employs advanced evasion and persistence techniques to maintain long-term access and avoid detection. These techniques include UPX packing to obfuscate its binary, process masquerading to blend in with legitimate system processes, and the use of registry run keys and scheduled tasks (T1053.005) to ensure persistence across reboots. Communication with its command and control (C2) infrastructure is conducted over UDP and HTTPS protocols, utilizing multiple fallback domains to enhance resilience and maintain connectivity even if some domains are taken down. The C2 infrastructure supports real-time interaction via WebSockets, enabling operators to execute remote commands and manipulate infected systems dynamically. Salat Stealer operates under a Malware-as-a-Service (MaaS) model, primarily run by Russian-speaking threat actors known as NyashTeam and Kapchenka, which lowers the barrier for other cybercriminals to deploy this malware. The malware targets multiple popular browsers and cryptocurrency wallets, reflecting a focus on financial theft and credential harvesting. The use of advanced persistence mechanisms such as registry run keys (T1547.001), scheduled tasks (T1053.005), and process injection or masquerading (T1057) complicates detection and removal efforts. Additionally, the malware leverages techniques like credential dumping (T1003), token manipulation (T1134), and obfuscation (T1027.002) to evade security controls and maintain stealth. Although no known exploits are currently reported in the wild for this malware, its modular and resilient design indicates a high potential for widespread impact if deployed effectively.

For European organizations, Salat Stealer poses a significant threat primarily through the theft of credentials and cryptocurrency assets, which can lead to financial losses, unauthorized access to corporate and personal accounts, and potential lateral movement within networks. The targeting of browser credentials and Telegram sessions is particularly concerning for organizations relying on these platforms for communication and authentication, as stolen session tokens can bypass multi-factor authentication mechanisms. The malware's persistence and evasion capabilities increase the likelihood of prolonged undetected presence, enabling attackers to conduct extended espionage or data exfiltration campaigns. Financial institutions, cryptocurrency exchanges, fintech companies, and enterprises with remote workforces using Telegram and browser-based authentication are at elevated risk. Additionally, the MaaS model facilitates rapid proliferation among less sophisticated threat actors, increasing the overall threat landscape. The use of UDP and HTTPS for C2 communications complicates network-based detection, and fallback domains ensure continued operation despite takedown efforts. This persistent threat could disrupt business operations, damage reputations, and lead to regulatory penalties under GDPR if personal data is compromised.

European organizations should implement layered defenses tailored to the specific tactics used by Salat Stealer. First, enforce strict application control policies to prevent execution of UPX-packed and unknown Go binaries, leveraging endpoint detection and response (EDR) solutions capable of unpacking and analyzing such payloads. Monitor and restrict creation or modification of registry run keys and scheduled tasks, especially those not aligned with standard IT operations. Network defenses should include deep packet inspection and anomaly detection for unusual UDP and HTTPS traffic patterns, with particular attention to WebSocket connections to suspicious domains. Employ threat intelligence feeds to block known fallback C2 domains and IP addresses associated with Salat Stealer. Credential hygiene is critical: enforce strong, unique passwords, implement multi-factor authentication (MFA) across all services, and regularly audit active sessions in browsers and Telegram to detect unauthorized access. Endpoint monitoring should focus on detecting process masquerading and token manipulation behaviors. Incident response plans must include procedures for rapid identification and eradication of persistence mechanisms. Finally, user awareness training should highlight risks related to phishing and social engineering, common infection vectors for infostealers.