Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Microsoft Active Directory Zero-Day Actively Exploited
July 15, 2026
Critical BitLocker Vulnerability Lets Attackers Bypass Windows Security
July 15, 2026
Notepad++ Vulnerabilities Enable PowerShell Command Injection
July 15, 2026
Home/Threats/Salat Malware Employs QUIC and WebSocket for Covert Remote Control
Threats

Salat Malware Employs QUIC and WebSocket for Covert Remote Control

Key Takeaways A new Go-based Remote Access Trojan (RAT) named Salat has been discovered, featuring advanced stealth capabilities. Salat utilizes QUIC and WebSocket protocols for covert...

Emy Elsamnoudy
Emy Elsamnoudy
May 7, 2026 5 Min Read
53 0

Key Takeaways

  • A new Go-based Remote Access Trojan (RAT) named Salat has been discovered, featuring advanced stealth capabilities.
  • Salat utilizes QUIC and WebSocket protocols for covert command-and-control (C2) communications, making detection difficult.
  • The malware employs sophisticated persistence mechanisms and a blockchain-based fallback C2 channel, making it highly resilient.
  • Salat is designed for extensive data exfiltration, targeting credentials, cryptocurrency wallets, and enabling full remote control over infected systems.

Sophisticated Salat Malware Leverages QUIC and WebSocket for Covert Operations

A new and highly advanced piece of malware, dubbed Salat, has emerged, raising significant alarms within the cybersecurity community. Written in the Go programming language, Salat operates as a full-featured Remote Access Trojan (RAT), granting attackers deep and persistent control over compromised systems. Its sophisticated design and broad capabilities distinguish it from many other threats.

Table Of Content

  • Key Takeaways
  • Sophisticated Salat Malware Leverages QUIC and WebSocket for Covert Operations
  • Stealthy Communication and Evasion Techniques
  • QUIC and WebSocket for Silent Communication
  • Data Theft and Persistence on Infected Machines
  • What You Should Do
  • Indicators of Compromise (IoCs):-

Unlike many malware variants that specialize in a single function, Salat is engineered to perform a wide array of malicious activities. These range from the theft of sensitive information, such as passwords, to providing threat actors with real-time visibility into a victim’s desktop and webcam. This comprehensive functionality allows attackers to maintain extensive control and surveillance over infected machines.

Stealthy Communication and Evasion Techniques

A primary concern with Salat is its innovative approach to command-and-control (C2) communication. The malware leverages modern internet protocols, specifically QUIC and WebSocket, to camouflage its malicious traffic within legitimate network activity. This strategic use of common protocols significantly complicates detection by conventional security tools, enabling Salat to operate with enhanced stealth.

The malware’s design prioritizes covert operation, aiming to remain completely undetected while executing its objectives. This focus on stealth, coupled with its broad capabilities, positions Salat as a particularly dangerous threat.

Malware derives its first decryption key by applying an MD5 hash (Source - DarkAtlas)
Malware derives its first decryption key by applying an MD5 hash (Source – DarkAtlas)

Researchers at DarkAtlas published a detailed analysis of Salat on May 6, 2026. Their findings highlight the malware’s meticulous and professional development. This includes six distinct methods for obfuscating internal strings and a system that generates a unique identifier for each compromised machine based on its hostname and hardware profile.

Upon initial infection, Salat immediately begins to collect system information. This includes details about the operating system, CPU, GPU, memory, and currently active applications. All collected data is then encrypted and transmitted to the attacker’s C2 server, providing a comprehensive profile of the compromised endpoint.

The JSON is encrypted and POSTed to the C2 server (Source - DarkAtlas)
The JSON is encrypted and POSTed to the C2 server (Source – DarkAtlas)

Salat’s data exfiltration capabilities extend across a wide range of sensitive targets. It can pilfer data from web browsers, cryptocurrency wallets, and popular messaging applications, in addition to capturing clipboard contents. The malware also features keylogging, screenshot capture, live desktop streaming, and remote shell access, effectively giving operators complete command over the infected system.

QUIC and WebSocket for Silent Communication

Salat is designed to prioritize the most effective communication channels for connecting with its command server, with a strong preference for QUIC and WebSocket protocols. These protocols are commonly used by legitimate web services, allowing Salat’s traffic to blend seamlessly with normal network activity, making it exceptionally difficult to distinguish from benign data flows. The malware only reverts to standard HTTP/2 if both QUIC and WebSocket channels are unavailable.

System Enumeration and Initial Beacon (Source - DarkAtlas)
System Enumeration and Initial Beacon (Source – DarkAtlas)

The addresses of Salat’s C2 servers are stored in a doubly encrypted format within its binary, presenting a significant challenge for reverse engineering and extraction. Analysis revealed five distinct server addresses, all sharing an identical path structure. To ensure resilience, if the malware fails to establish a connection after five consecutive attempts, it automatically cycles to the next server in its hardcoded list.

A particularly notable feature of Salat is its sophisticated backup communication mechanism: the TON (The Open Network) blockchain. Should all hardcoded C2 servers become unreachable, the malware queries the TON network via Cloudflare’s encrypted DNS service to retrieve new server addresses. This innovative use of a decentralized blockchain makes Salat exceptionally difficult to neutralize completely, as the blockchain itself cannot be easily taken offline.

Data Theft and Persistence on Infected Machines

Salat’s data theft capabilities are extensive, surpassing those of many common malware tools. It targets saved passwords and cookies from both Chromium-based and Firefox browsers, extracts tokens from applications like Discord and Steam, and exfiltrates cryptocurrency wallet files. All collected data is compressed into a ZIP archive before transmission, minimizing file sizes and further reducing the likelihood of detection during transfer.

To ensure persistence across system reboots, Salat employs a multi-pronged approach with three distinct methods. It copies itself to a system folder, adopting a deceptive filename such as explorer.exe or svchost.exe, and marks the file as hidden. Furthermore, it establishes a scheduled task that executes at every user login and repeats every 30 minutes. Finally, it adds a registry key to ensure its launch with every Windows startup.

What You Should Do

  • Implement robust network monitoring for unusual outbound connections, particularly those utilizing QUIC or WebSocket protocols, especially to unfamiliar domains.
  • Regularly audit system files for hidden executables or those impersonating legitimate Windows processes (e.g., explorer.exe, svchost.exe) in atypical locations.
  • Ensure all endpoint detection and response (EDR) solutions and antivirus software are up-to-date with the latest signatures and behavioral detection capabilities for Go-based malware.
  • Periodically review and audit scheduled tasks and registry run keys for any unknown or suspicious entries that could indicate persistence.
  • Educate users on phishing and social engineering tactics, as these are common initial infection vectors for RATs like Salat.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-256 25802493e7ef64523d6ab13ad6e5555b2b08fd4576ae2edd905ad939d256aa3a Salat malware sample hash
SHA-1 b8f4a8c2e7d1f3a9b5c6d8e0f1a2b3c4d5e6f7a8 Salat malware sample hash
MD5 25802493e7ef64523d6ab13ad6e5555b Salat malware sample hash
URL https://salator[.]es/sa1at/ Salat C2 server endpoint
URL https://wrat[.]in/sa1at/ Salat C2 server endpoint
URL https://websalat[.]top/sa1at/ Salat C2 server endpoint
URL https://salat[.]cn/sa1at/ Salat C2 server endpoint
URL https://wrat[.]in:992/sa1at/ Salat C2 server alternate port endpoint

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Phishing Attack Abuses Event Invitations to Steal Login Credentials

Next Post

Google Chrome 127 Vulnerabilities Patched in Latest Release

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Flaw: OAuth Client ID Spoofing Exposes 2 Million Entra ID Users
July 14, 2026
Critical Claude for Chrome Flaw Exposes Gmail, Docs, Calendar Data
July 14, 2026
Critical Vulnerability in AsyncAPI npm Packages Exposes Users to Attack
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us