Deep Dive: Deconstructing SLOTAGENT, a Sophisticated New Remote Access Trojan

In early 2026, security researchers at IIJ uncovered a highly evasive Remote Access Trojan (RAT) dubbed SLOTAGENT. Originally identified within a suspicious ZIP archive uploaded from Japan to a public malware repository, this threat represents a significant leap in modularity and anti-forensic engineering, making it a formidable opponent for traditional endpoint detection systems.

Unlike “noisy” malware that relies on obvious persistence mechanisms, SLOTAGENT utilizes a multi-stage, memory-resident execution chain designed to bypass static signature-based defenses.

The Infection Chain: From ZIP to Memory

The initial infection vector is a seemingly innocuous ZIP archive. Upon extraction, the user is presented with a malicious executable, WindowsOobeAppHost.AOT.exe. This file serves as the primary loader, which immediately pulls in a secondary component: WindowsOobeAppHost.AOT.dll. The DLL exports a specific function, __managed__Main, which acts as the entry point for the malware’s core logic.

To evade sandbox environments, SLOTAGENT employs advanced API Hashing. Rather than calling Windows APIs directly—which leaves a clear footprint in the Import Address Table (IAT)—the loader dynamically resolves function addresses at runtime. It utilizes a custom algorithm combining XOR operations and ROR11 (Rotate Right 11) bit rotation to obfuscate its calls.

Once the environment is deemed “safe,” the malware proceeds to decrypt a configuration file named db.config using the RC4 stream cipher. This file contains the highly sensitive instructions required to execute the final payload as shellcode via low-level NtCreateThreadEx calls, ensuring as much of the attack as possible remains in volatile memory.

Post-Exploitation and C2 Orchestration

The ultimate payload, internally identified as agent_tcp.dll, establishes a persistent connection to a hardcoded Command-and-Control (C2) server at 43.156.59[.]110:699. The communication protocol is particularly clever; while it operates over TCP, the traffic is structured to mimic legitimate, serialized HTTP-like streams to blend in with standard web traffic.

Each communication packet follows a rigid structure to ensure reliable command execution:

• Length Header: A 4-byte field indicating the size of the subsequent data.
• Path Context: A URI-style string (e.g., /api/v1/stream/data) to masquerade as API traffic.
• JSON Payload: A structured data block containing the actual command or telemetry.
• Delimiter: A specific byte sequence to terminate the transmission.

The command set available to the attacker is expansive, suggesting SLOTAGENT is intended for professional-grade espionage. Capabilities include remote shell access, file system manipulation, memory dumping, and even the execution of Beacon Object Files (BOF)—a technique popularized by Cobalt Strike for running modular code in memory.

Anti-Analysis and Defensive Countermeasures

SLOTAGENT’s developers have prioritized stealth. Beyond API hashing, they implement string encryption using a variation of the Tiny Encryption Algorithm (TEA). This ensures that critical indicators—such as command names and C2 URLs—remain invisible to static strings analysis tools.

To assist the broader security community, researchers have released an IDA Python script designed to automate the decryption of these strings. This allows analysts to bypass the TEA-like obfuscation and quickly identify the malware’s intent during an incident response workflow.

Summary and Recommendations

The emergence of SLOTAGENT underscores a trend toward highly modular, memory-only payloads that leverage legitimate system processes to hide. Organizations should focus on the following defensive postures:

• Network Monitoring: Watch for unusual outbound TCP traffic on non-standard ports, specifically looking for structured JSON payloads mimicking HTTP.
• Behavioral Analysis: Prioritize detection of suspicious NtCreateThreadEx calls and unexpected memory allocations (RWX).
• Endpoint Hardening: Implement strict policies regarding the execution of unsigned DLLs and monitor for “time stomping” (timestamp tampering) used for anti-forensics.

Technical Indicators of Compromise (IOCs)