Deep Dive: Analyzing Salat Stealer—The Go-Based RAT Redefining C2 Resilience
Security researchers have uncovered a sophisticated new threat actor in the Windows ecosystem: Salat Stealer.
While many modern threats fall into the category of simple “infostealers” designed for quick, smash-and-grab data theft, Salat Stealer represents a significant escalation. Written in the Go (Golang) programming language, this malware functions more accurately as a full-featured Remote Access Trojan (RAT) and post-exploitation framework.
By leveraging Go’s cross-platform capabilities and high-performance networking libraries, the developers have created a tool that blends classic credential harvesting with highly stealthy, modern communication protocols. It provides operators with a comprehensive toolkit, including remote shell access, real-time desktop and webcam streaming, keylogging, and SOCKS5-based pivoting, allowing an attacker to use an infected machine as a gateway into a wider corporate network.
To avoid immediate detection during initial triage, the malware is typically distributed as a UPX-packed Windows executable. Once active, it employs process masquerading, renaming its presence to mimic essential system processes like explorer.exe, svchost.exe, or lsass.exe, effectively hiding in plain sight within the Windows Task Manager.

From a technical standpoint, the malware’s initialization is highly structured. Upon execution, it utilizes Go’s os.Executable() API to determine its own file path—a move it uses for self-replication and cryptographic operations. To protect its internal logic, it employs a complex, six-mode string decryption scheme. This includes an AES-128-GCM implementation keyed with the MD5 hash of the constant “biba,” alongside an XOR mode utilizing the hex representation of a Russian phrase, making static analysis significantly more difficult for automated tools.
Each infected host is assigned a unique 32-character “Agent ID.” This is generated by concatenating the system’s hostname and a hardware identifier (HWID) with a hardcoded salt (LDrx1ePUV27Zt8tq2S14), then processing the result through an MD5 hash. This ensures that the attacker can uniquely track and manage multiple victims within their command-and-control (C2) dashboard.
Furthermore, the malware attempts to broaden its impact through privilege escalation. A dedicated function, main_Elevate, attempts to relaunch the process with administrative rights, providing the attacker with deeper access to the OS and protected user data.
Advanced Network Evasion: Exploiting QUIC and WebSockets
One of the most striking features of Salat Stealer is its network agility. The malware is designed with modular runtime modes. For example, a -k flag enables a lightweight keylogger-only mode, while other argument configurations allow for JSON-encoded command execution or a persistent background state using named mutexes.
To bypass traditional perimeter defenses, Salat Stealer prioritizes modern, high-noise web protocols. It utilizes the quic-go and gorilla/websocket libraries to facilitate C2 communications via QUIC (HTTP/3) and WebSockets. Because these protocols are standard for modern web browsing, the malware’s traffic is much harder to distinguish from legitimate HTTPS traffic compared to older, more suspicious protocols.

If standard channels are blocked, the malware isn’t easily silenced. The C2 URLs are double-encrypted within the binary, requiring a multi-stage decryption pipeline (hex decoding followed by AES-GCM) to reveal the embedded endpoints. Most impressively, if all direct connection attempts fail, the malware pivots to the TON (The Open Network) blockchain. By querying the blockchain via DNS-over-HTTPS (DoH), it can retrieve fresh, updated C2 configurations from a smart contract verified by embedded RSA public keys. This “blockchain-backed” C2 makes traditional domain takedowns nearly impossible.
Exfiltration and Persistence Mechanisms
Before sending its first beacon, Salat Stealer performs comprehensive system reconnaissance using WMI (Windows Management Instrumentation). It gathers hardware specs (CPU, GPU, RAM), OS details, and the status of the current user. This telemetry is packed into a JSON object, encrypted, and sent to the C2, allowing the attacker to prioritize high-value targets (such as those on administrative accounts or high-spec workstations).
Once the connection is established, the exfiltration engine begins its work. It targets:
- Browser Data: Chromium and Gecko-based browser credentials, including secrets decrypted via DPAPI.
- Session Tokens: Discord and Steam tokens to hijack active sessions.
- Financial Data: Cryptocurrency wallets and sensitive local files.
- Live Intelligence: Real-time screenshots and process lists.

To ensure it survives a system reboot, Salat Stealer employs a “triple-threat” persistence strategy:
- Copying the binary to hidden system directories.
- Creating scheduled tasks that trigger at logon and every 30 minutes.
- Modifying the Windows Registry (
HKCU\...\Runkeys) for automatic execution.
Defensive Takeaways: To combat Salat Stealer, security teams should move beyond simple file hashing. Focus on behavioral EDR detections—specifically monitoring for suspicious scheduled tasks, unusual process masquerading (e.g., svchost.exe running from a non-standard path), and heightened scrutiny of QUIC and WebSocket traffic. Additionally, monitoring for unexpected DNS-over-HTTPS queries to blockchain-related domains may provide an early warning of a highly resilient infection.