Summary:
Salat Stealer is a go-based infostealer that was first spotted in August 2025. The malware has been observed by CYFIRMA targeting Windows systems and is capable of exfiltrating browser credentials, cryptocurrency wallet data, and session information from platforms like Telegram and Steam. Salat Stealer employs several tactics including UPX packing and process masquerading to bypass defenses. To ensure persistent access, the malware will also create multiple run keys in the Windows registry and set up scheduled tasks with deceptive names, such as Lightshot, Procmon, and RuntimeBroker, each configured with multiple triggers to ensure continuous execution of the stealer.

Security Officer Comments:
Salat Stealer operates as a malware-as-a-service, allowing cybercriminals to pay a subscription fee to access the tool. Salat Stealer comes with a command-and-control panel that enables actors to interact with compromised systems in real-time, execute remote PowerShell scripts, and download additional payloads. According to CYFIRMA, Salat Stealer operations have been attributed to Russian-speaking actors associated with NyashTeam and Kapchenka. Operators have promoted the stealer via social engineering campaigns on mainstream platforms, taking advantage of fake or compromised YouTube accounts to advertise videos on game cheats, software cracks, and bots with links designed to redirect victims to file-sharing services hosting malware-laced archives.

Suggested Corrections:
Endpoint Protection & Monitoring

• Deploy advanced endpoint detection and response (EDR) solutions capable of detecting packed executables (e.g., UPX) and monitoring suspicious persistence mechanisms, such as registry Run keys and scheduled tasks.
• Enable real-time behavioral monitoring to identify anomalous process creation or suspicious files.

Network Security Controls

• Implement strict outbound traffic monitoring to detect and block connections to suspicious or malicious IP addresses.
• Configure intrusion detection/prevention systems (IDS/IPS) with updated signatures and YARA rules to flag credential-stealing activity and cryptocurrency-related extension indicators.

System Hardening

• Restrict permissions for creating or modifying scheduled tasks and registry Run keys to limit malware persistence.
• Regularly audit Windows Defender configurations to ensure exclusions are not tampered with by unauthorized processes.

User Awareness & Policy

• Conduct targeted awareness training on phishing and social engineering, as initial infection vectors are often email attachments or drive-by downloads.
• Encourage the use of hardware wallets or secured vaults for cryptocurrency storage instead of browser-based extensions.

Link(s):
https://www.cyfirma.com/research/un...persistence-mechanisms-and-c2-infrastructure/