mediumRansomware

SalatStealer's New Trick: Using TON Blockchain DNS to Make C2 Takedowns Impossible

InvestigatedMarch 15, 2026PublishedMarch 15, 2026

ransomwaresocial-engineeringcredential-theftc2supply-chainexploitdgaapt

Published: 2026-03-15 | Author: BGI | Investigation Date: 2026-03-15

TL;DR

A fresh SalatStealer sample (yesamsevo.exe) ships with a previously undocumented capability: resolving its C2 server address via TON blockchain DNS using tonutils-go. The C2 endpoint lives in a smart contract on The Open Network -- not in a plaintext config string, not behind a DGA, not in a pastebin dead drop. In a blockchain. You cannot DMCA a blockchain. You cannot sinkhole a blockchain. The operator, Russian MaaS group NyashTeam, has built infrastructure across two bare-metal servers in Rostov-na-Donu and Moscow, both running the Russian Nginx fork Angie, sharing an identical SSH configuration fingerprint, and protected behind Cloudflare. Their OPSEC is otherwise mediocre: a shared TLS certificate ties their domains together, their registrar is consistently BEGET-RU, and their Cloudflare nameserver pair links the operator panel nyash.team directly to the C2 domain wrat.in. But the TON DNS trick is genuinely novel, and it means traditional domain-based disruption strategies are insufficient against this variant.

The Sample

The binary arrived as yesamsevo.exe -- a 12.3MB PE32 GUI executable built with Go 1.24.0 under the module name salat. First seen 2026-03-15. It is a 32-bit Windows binary with CGO_ENABLED=0 and -trimpath=true, compiled directly from source in devel mode (no tagged release).

The first thing any analyst will notice: file reports UPX compression. The PE sections are labeled UPX0, UPX1, UPX2. But run upx -d and you get NotPackedException: not packed by UPX. The section names are fake -- a social engineering artifact targeting analysts who stop at file output and assume the binary needs unpacking before analysis. The actual Go code sits in plaintext within the PE sections. It is a surprisingly effective filter: automated analysis pipelines that attempt UPX decompression will error out and deprioritize the sample.

Field	Value
SHA256	`8651bf3f8f38d547530e0dcdd89da904e14ee7bd87c05f5ff429038ba73013ef`
MD5	`c3e58740b2f61e4eea92697ceeff06dc`
SHA1	`ffb12e074516427a3060f1ea1bcc0817e17a4d7f`
File Size	12,924,928 bytes (12.3 MB)
Language	Go 1.24.0
Build ID	`SsYj-TjQpFG0xys3EB0w/GhtEZzFz4hL1_TGoW1Af/YeNMb-kA-2Fl8voOf4QJ/v4LXu5AUXqJHAiiDZbxA`
Module	`salat (devel)`
Family	SalatStealer / WebRAT

The TON Blockchain C2 Mechanism

This is the finding that matters. SalatStealer has been documented before -- CYFIRMA, DeXpose, vx-underground, and others have published analyses. But no prior report describes this capability, because it was not present in earlier variants.

The binary imports github.com/xssnick/tonutils-go v1.16.0 and implements two functions: main.tonResolve and main.tryTonResolve. The resolution flow works like this:

Victim
  |
  +---> tonResolve("c2server.ton") via TON blockchain DNS
  |       (xssnick/tonutils-go --> TON liteserver API)
  |
  +---> Fallback: DoH query to https://1.1.1.1/dns-query?name=<domain>
  |       (DNS-over-HTTPS via Cloudflare)
  |
  +---> WebSocket (WSS) connect to resolved C2
  |       (gorilla/websocket v1.5.3)
  |
  +---> QUIC (HTTP/3) channel for bulk data exfiltration
          (quic-go v0.38.1)

TON DNS is a decentralized naming system built on The Open Network blockchain. Domain records are stored in smart contracts. When SalatStealer calls tonResolve, it queries a TON liteserver for the DNS record associated with a .ton domain. The smart contract returns the current C2 IP or hostname. The operator can update this record at any time by interacting with the smart contract -- instant, global C2 rotation with no registrar involvement, no DNS propagation delay, and no takedown mechanism available to law enforcement or security researchers.

The fallback chain is equally hardened. If TON resolution fails, the malware queries Cloudflare's DNS-over-HTTPS endpoint. The actual C2 connection uses WebSocket over TLS for command-and-control, and QUIC (HTTP/3) for bulk data exfiltration -- two protocols that blend into legitimate traffic and are difficult to inspect at the network level.

A tloop function implements a polling loop that periodically re-resolves via TON, meaning the operator can rotate infrastructure mid-campaign and all infected hosts will follow within one polling interval. This is Fast Flux DNS with the blockchain as the authoritative server.

Why This Matters

Traditional C2 disruption relies on three levers: domain seizure, DNS sinkholing, and hosting provider abuse reports. TON blockchain DNS neutralizes all three:

Domain seizure: There is no registrar. The domain is a smart contract on a decentralized blockchain.
DNS sinkholing: There are no authoritative nameservers to redirect. Resolution happens via direct blockchain queries.
Hosting abuse reports: The C2 address is stored on-chain, not in any hosting provider's infrastructure.

The only remaining options are blocking the TON liteserver IPs (which are numerous and change), or detecting the malware's behavior on the endpoint. Network-based controls are effectively bypassed.

Full Capability Analysis

SalatStealer is not just a stealer -- it is a full RAT with modular capabilities that would make some commercial red team tools envious. The function table recovered from the Go binary reveals nine distinct capability clusters.

Credential Theft

The stealer targets every major browser family. Chromium-based browsers get the full treatment: DPAPI master key decryption, AES-GCM cookie/password decryption, and -- critically -- a GetAppBoundKey function that bypasses Chrome v127+'s App-Bound Encryption via the IElevator COM interface. This is the latest Chrome hardening, and SalatStealer already defeats it.

Firefox gets parallel treatment through NSS master key derivation with ASN.1 PBE parsing, 3DES and AES decryption paths, and proper PKCS5 unpadding.

Targeted Chromium browsers (28 total): Chrome, Brave, Edge, Vivaldi, Opera GX, Thorium, Iridium, Slimjet, CocCoc, Maxthon, and 18 others including obscure forks like K-Melon, Coowon, and DCBrowser.

Targeted Gecko browsers (6 total): Firefox, Waterfox, Cyberfox, SeaMonkey, IceDragon, Pale Moon.

Crypto Wallet Theft

28 wallets targeted across every major chain: MetaMask, Phantom, Electrum, Coinbase, Binance Wallet, Keplr, Nami, MyMonero, Jaxx Liberty, Coinomi, Enkrypt, Safepal, TokenPocket, SuiWallet, Temple (Tezos), and more. The inclusion of TonKeeper and MyTonWallet alongside the TON blockchain C2 mechanism is not a coincidence -- this operator lives in the TON ecosystem.

RAT Capabilities

The wsSess (WebSocket session) struct implements a full remote access toolkit:

main.(*wsSess).execCommand      -- Arbitrary shell execution
main.(*wsSess).startShell       -- Interactive reverse shell
main.(*wsSess).ffdesktop        -- Real-time screen streaming via ffmpeg
main.(*wsSess).ffwcam           -- Webcam capture
main.(*wsSess).ffwmic           -- Microphone capture
main.(*wsSess).sepDesktop       -- Hidden desktop (separate window station)
main.(*wsSess).p2p              -- P2P proxy relay

The sepDesktop function creates a hidden window station (winsta0\default), allowing the operator to interact with the victim's desktop without the victim seeing anything on their screen. Combined with ffdesktop for real-time streaming, this is a complete hands-on-keyboard capability.

SOCKS5 Proxy

Every infected host becomes a SOCKS5 proxy node:

main.(*socks5Conn).Serve        -- SOCKS5 server
main.(*socks5Conn).handshake    -- SOCKS5 auth
main.proxySocks                 -- SOCKS5 proxy listener
main.p2pSocks                   -- P2P SOCKS relay

This is the MaaS upsell. NyashTeam is not just selling credential theft -- they are selling a residential proxy network built from their victims' machines.

Keylogger

main.runKeylogger               -- Start capture
main.keyPressCallback           -- SetWindowsHookEx WH_KEYBOARD callback
main.windowChangeCallback       -- Active window change (context labeling)

The windowChangeCallback is a nice touch -- it labels each keystroke sequence with the active window title, so the operator gets context like "user typed 'password123' while focused on 'Chase Bank - Login'."

Privilege Escalation

main.Elevate                    -- UAC bypass
main.DuplicateUserTokenFromSessionID  -- WTS token duplication
main.getSystemToken             -- SYSTEM token acquisition
main.NtQuerySystemHandles       -- Handle enumeration (LSASS targeting)
main.findLsassProcess           -- LSASS process location

The escalation chain goes from standard user to SYSTEM via token duplication, then targets LSASS for credential dumping via NtQuerySystemHandles. This is not a commodity stealer technique -- this is post-exploitation tradecraft.

Embedded Cryptographic Material

A 256-bit key is embedded in the binary's string table:

Base64:  sxxuJBrIRnKNqcH6xJNmUc/7lE0UOrgWJ2vMbaAoR4c=
Hex:     b31c6e241ac846728da9c1fac4936651cffb944d143ab816276bcc6da0284787

Its position adjacent to C:\Windows\Sysnative\restore\MachineGuid.txt in the string table suggests it is used for binding encrypted payloads to the victim's hardware identity -- a technique that prevents sandbox detonation of exfiltrated archives.

Kill Chain

Delivery via fake CVE PoC repos on GitHub or weaponized Telegram channels. On execution: mutex check (checkDupe), UAC bypass (Elevate), persistence via registry Run key and Task Scheduler, then privilege escalation through IElevator COM, token duplication, and LSASS handle enumeration. Collection hits 34 browsers, 28 crypto wallets, Telegram/Discord/Steam tokens, keylogger with window context, screenshots, and clipboard. Exfiltration compresses to sent.zip, ships over WSS and QUIC. C2 resolves via TON blockchain (primary) with Cloudflare DoH fallback. Cleanup via selfDelete() and remote Suicide() command.

Infrastructure & Attribution

NyashTeam

The operator is NyashTeam -- a Russian-speaking MaaS group active since approximately 2022, selling SalatStealer (marketed as "WebRAT") for around 1,199 RUB/month (~$13 USD). They also distribute DCRat. CERT-F6 disrupted 110+ of their domains in July 2025, but the group rebuilt within months using the same registrar and hosting patterns.

Infrastructure Map

Two origin servers, both in Russia, both running identical configurations:

IP	Location	ASN	Web Server	SSH HASSH
`85.198.98.75`	Rostov-na-Donu	AS43429 OOO MediaSeti	Angie	`425d29fe50d8e4f5e37efb6e24bcf660`
`85.117.234.216`	Moscow	FreeNet L.L.C-FZ	Angie	`425d29fe50d8e4f5e37efb6e24bcf660`

Both servers run Angie -- the Russian fork of Nginx, developed by Nginx's original Russian engineering team after the F5 Networks acquisition. Both run Debian 12 with OpenSSH 9.2p1. Both return HTTP 404 on direct IP access (hostname-based routing only). And both share the exact same HASSH fingerprint (425d29fe50d8e4f5e37efb6e24bcf660), which means the same operator deployed them from the same automation playbook.

The domain infrastructure fans out behind Cloudflare:

BEGET-RU registrar (all .ru domains)
+-- sa1at.ru (registered 2026-01-22)
|   +-- Origin: 85.198.98.75 (Rostov)
|   +-- TLS SAN: sa1at.ru + wrat.in  <-- SHARED CERT
|
+-- webrat.ru (registered 2026-02-17)
    +-- Cloudflare CDN

Cloudflare NS pair: josephine.ns + marty.ns
+-- nyash.team   (operator panel)
+-- wrat.in      (active C2)
|   +-- 85.117.234.216 (Moscow)
|   +-- 85.198.98.75   (Rostov)
|
+-- salat.cn (cert issued 2026-02-28)
+-- webrat.top

Certificate Transparency Timeline

Cert issuance dates trace the infrastructure buildout: sa1at.ru (2026-01-22), webrat.ru (2026-02-17), wrat.in (2026-02-27), salat.cn (2026-02-28). Five weeks from first cert to full deployment -- consistent with a rebuild after the CERT-F6 disruption in July 2025.

The OPSEC Failures

NyashTeam invested in a genuinely novel C2 resolution mechanism and then undermined it with basic operational mistakes.

1. The shared TLS certificate. The cert on 85.198.98.75 covers both sa1at.ru and wrat.in in its Subject Alternative Names. Any researcher who pulls the cert from one domain immediately discovers the other. This is OPSEC 101 -- one cert per domain, always.

2. The Cloudflare nameserver pair. Both nyash.team (the operator's team site) and wrat.in (the active C2) share the Cloudflare nameserver pair josephine.ns and marty.ns. Cloudflare assigns nameserver pairs per account. Same pair means same Cloudflare account. The operator's branding site is directly linked to the C2 infrastructure through a shared billing relationship.

3. BEGET-RU for everything. Every .ru domain in the campaign was registered through BEGET-RU. A single registrar subpoena or abuse report reveals the entire portfolio. After CERT-F6 took down 110+ domains in July 2025, NyashTeam rebuilt using the same registrar. They did not learn.

4. The domain names. Active and historical C2 domains include posholnahuy.ru and pidorasina.ru -- vulgar Russian slang. These domains are immediately flagged by any content filter and stand out in DNS logs. This is the operational security equivalent of spray-painting your name on the getaway car.

5. The salat module name. The binary was compiled in devel mode without proper build stripping. The Go module name salat is embedded in the binary metadata alongside the full build ID. The -trimpath flag strips source file paths but does not strip the module name. Every sample is self-attributing.

Campaign Context

Distribution via Fake CVE PoCs (NyashTeam, Dec 2025 -- present)

NyashTeam has been distributing SalatStealer through 15+ fake CVE proof-of-concept repositories on GitHub:

github[.]com/RedFoxNxploits/CVE-2025-10294-Poc
github[.]com/FixingPhantom/CVE-2025-10294
github[.]com/DExplo1ted/CVE-2025-12596-Exploit
github[.]com/h4xnz/CVE-2025-55234-POC

These repos target security researchers and penetration testers who download and execute PoC code -- a supply chain attack against the security community itself.

UAC-0252 Campaign (Jan--Feb 2026)

SalatStealer was deployed alongside three other tools in a campaign targeting Ukraine, tracked as UAC-0252:

SHADOWSNIFF -- secondary credential stealer
DEAFTICK -- surveillance module
AVANGARD ULTIMATE v6.0 -- ransomware

Initial vector: CVE-2025-8088 (WinRAR path traversal) distributed via the PalachPro Telegram channel.

Scale

MalwareBazaar reports 860+ SalatStealer samples tagged as of 2026-03-15. This is not a boutique operation -- it is industrial-scale MaaS.

IOCs

File Indicators

Type	Value
SHA256	`8651bf3f8f38d547530e0dcdd89da904e14ee7bd87c05f5ff429038ba73013ef`
MD5	`c3e58740b2f61e4eea92697ceeff06dc`
SHA1	`ffb12e074516427a3060f1ea1bcc0817e17a4d7f`
Go Build ID	`SsYj-TjQpFG0xys3EB0w/GhtEZzFz4hL1_TGoW1Af/YeNMb-kA-2Fl8voOf4QJ/v4LXu5AUXqJHAiiDZbxA`
Embedded Key (b64)	`sxxuJBrIRnKNqcH6xJNmUc/7lE0UOrgWJ2vMbaAoR4c=`
Embedded Key (hex)	`b31c6e241ac846728da9c1fac4936651cffb944d143ab816276bcc6da0284787`

Network Indicators -- Active C2

Indicator	Type	Confidence
`sa1at.ru`	Domain	HIGH
`wrat.in`	Domain	HIGH
`webrat.ru`	Domain	HIGH
`webrat.top`	Domain	MEDIUM
`salat.cn`	Domain	MEDIUM
`nyash.team`	Domain (operator)	HIGH
`85.198.98.75`	IPv4 (Rostov, AS43429)	HIGH
`85.117.234.216`	IPv4 (Moscow, FreeNet)	HIGH
`157.22.174.200`	IPv4 (wrat.in rotated)	MEDIUM

Network Indicators -- Historical / Campaign-Linked

Indicator	Type	Notes
`posholnahuy.ru`	Domain	Fallback C2 (historical)
`pidorasina.ru`	Domain	Fallback C2 (historical)
`webrat.su`	Domain	Historical C2
`webrat.in`	Domain	Historical panel
`uffyaa.ru`	Domain	Historical C2

SHA256
`552e1c2ed502f652d5cd1c70fee7a81d0269d1ad6db96ad21344ff4e1e3620d5`
`1c2f8f94baf2807e017bd7d013047eca227abcfb754d5f428b55ead8a144ee1e`
`e6eaf9092a16b0f057bf7fb3293f7aecc6cf9fd1cd5971ecb763489c6449910f`
`c5584f2f1e258ddfec65eba05e0aaa1c07cfbbd38b063237d61b31b4a3e7a16c`
`57d78bce936c22b62291e2b13868b7513e174eede90ddb40a0d8d5609d041e78`

Host Indicators

Type	Value	Purpose
Registry	`HKCU\...\CurrentVersion\Run`	Persistence
Registry	`HKLM\...\Cryptography\MachineGuid`	HWID fingerprint
File Path	`C:\Program Files (x86)\Windows NT\`	Masquerade install
File Path	`C:\Windows\Sysnative\restore\MachineGuid.txt`	HWID fallback
File Path	`%APPDATA%\Telegram Desktop\tdata\`	Telegram theft
File Path	`%APPDATA%\discord\`	Discord theft

Behavioral Strings

steal finished!        LOG SENT!           SSLPIN DISABLED
got dExec code:        AES ERROR           WRONG LEN
found tg:// url        found tg process    UINFO ERR

MITRE ATT&CK Mapping

Technique	ID	Implementation
Command and Scripting Interpreter	T1059.001	`shellCommand`, `execCommand`
Scheduled Task	T1053.005	`capnspacehook/taskmaster`
Registry Run Keys	T1547.001	`HKCU\...\CurrentVersion\Run`
Credentials from Web Browsers	T1555.003	DPAPI + AES-GCM + App-Bound key bypass
Credentials from Password Stores	T1555.001	DPAPI `CryptUnprotectData`
Steal Web Session Cookie	T1539	Chromium + Gecko cookie decryption
Steal Application Access Token	T1528	Discord, Steam, Chrome OAuth
Screen Capture	T1113	GDI/BitBlt + ffmpeg streaming
Clipboard Data	T1115	`GetClipboardData`
Keylogging	T1056.001	`SetWindowsHookEx` WH_KEYBOARD
Video Capture	T1125	ffmpeg webcam capture
Audio Capture	T1123	ffmpeg microphone capture
LSASS Memory	T1003.001	`NtQuerySystemHandles` + LSASS targeting
Access Token Manipulation	T1134	`DuplicateUserTokenFromSessionID`
Token Impersonation	T1134.001	`impersonateSystem`, `getSystemToken`
Bypass UAC	T1548.002	`Elevate`, IElevator COM
Obfuscated Files	T1027	Fake UPX headers, `-trimpath`
System Information Discovery	T1082	`GetHWID`, WMI, `getDrives`
Process Discovery	T1057	`PROCESSENTRY32` enumeration
Exfiltration Over C2 Channel	T1041	WebSocket + QUIC
Multi-hop Proxy	T1090.003	`p2pSocks`, `proxySocks`
Web Protocols	T1071.001	WebSocket over TLS
Non-Application Layer Protocol	T1095	QUIC (HTTP/3)
Dynamic Resolution	T1568	TON blockchain DNS
Fast Flux DNS	T1568.001	Cloudflare fronting + TON DNS
File Deletion	T1070.004	`selfDelete`
Encrypted Channel	T1573.002	TLS WebSocket
Remote Access Software	T1219	Screen streaming, shell, SOCKS proxy

Detection Guidance

Network: Monitor for connections to TON liteserver IPs on non-standard ports -- any Windows workstation talking to TON infrastructure is anomalous. Flag QUIC (UDP 443) to unknown destinations.

Endpoint: PE binaries with UPX0/UPX1/UPX2 section names that fail upx -d decompression. Behavioral strings (steal finished!, LOG SENT!, SSLPIN DISABLED) are plaintext and YARA-detectable.

rule SalatStealer_TON_Variant {
    meta:
        author = "Breakglass Intelligence"
        date = "2026-03-15"
    strings:
        $ton1 = "tonutils-go" ascii
        $ton2 = "tonResolve" ascii
        $s1 = "steal finished!" ascii
        $s2 = "LOG SENT!" ascii
        $s3 = "SSLPIN DISABLED" ascii
        $upx0 = "UPX0" ascii
        $upx1 = "UPX1" ascii
    condition:
        uint16(0) == 0x5A4D and filesize > 10MB and
        (any of ($ton*)) and (2 of ($s*)) and ($upx0 and $upx1)
}

References

CYFIRMA: Unmasked: Salat Stealer -- Advanced Persistence and C2
DeXpose Blog: Understanding SalatStealer: Features and Impact
Securelist: WebRAT distributed via GitHub fake CVE repos
SOC Prime: UAC-0252 / SalatStealer Ukraine campaign
Wazuh: Detecting and Responding to Salat Stealer
vx-underground: SalatStealer paper
Malpedia: win.salatstealer
MalwareBazaar: SalatStealer tag (860+ samples)
The Record: Russian NyashTeam group disrupted by CERT-F6 (July 2025)