Salat Malware Employs QUIC and WebSocket for Covert Remote Control
Key Takeaways A new Go-based Remote Access Trojan (RAT) named Salat has been discovered, featuring advanced stealth capabilities. Salat utilizes QUIC and WebSocket protocols for covert...
Key Takeaways
- A new Go-based Remote Access Trojan (RAT) named Salat has been discovered, featuring advanced stealth capabilities.
- Salat utilizes QUIC and WebSocket protocols for covert command-and-control (C2) communications, making detection difficult.
- The malware employs sophisticated persistence mechanisms and a blockchain-based fallback C2 channel, making it highly resilient.
- Salat is designed for extensive data exfiltration, targeting credentials, cryptocurrency wallets, and enabling full remote control over infected systems.
Sophisticated Salat Malware Leverages QUIC and WebSocket for Covert Operations
A new and highly advanced piece of malware, dubbed Salat, has emerged, raising significant alarms within the cybersecurity community. Written in the Go programming language, Salat operates as a full-featured Remote Access Trojan (RAT), granting attackers deep and persistent control over compromised systems. Its sophisticated design and broad capabilities distinguish it from many other threats.
Table Of Content
Unlike many malware variants that specialize in a single function, Salat is engineered to perform a wide array of malicious activities. These range from the theft of sensitive information, such as passwords, to providing threat actors with real-time visibility into a victim’s desktop and webcam. This comprehensive functionality allows attackers to maintain extensive control and surveillance over infected machines.
Stealthy Communication and Evasion Techniques
A primary concern with Salat is its innovative approach to command-and-control (C2) communication. The malware leverages modern internet protocols, specifically QUIC and WebSocket, to camouflage its malicious traffic within legitimate network activity. This strategic use of common protocols significantly complicates detection by conventional security tools, enabling Salat to operate with enhanced stealth.
The malware’s design prioritizes covert operation, aiming to remain completely undetected while executing its objectives. This focus on stealth, coupled with its broad capabilities, positions Salat as a particularly dangerous threat.

Researchers at DarkAtlas published a detailed analysis of Salat on May 6, 2026. Their findings highlight the malware’s meticulous and professional development. This includes six distinct methods for obfuscating internal strings and a system that generates a unique identifier for each compromised machine based on its hostname and hardware profile.
Upon initial infection, Salat immediately begins to collect system information. This includes details about the operating system, CPU, GPU, memory, and currently active applications. All collected data is then encrypted and transmitted to the attacker’s C2 server, providing a comprehensive profile of the compromised endpoint.

Salat’s data exfiltration capabilities extend across a wide range of sensitive targets. It can pilfer data from web browsers, cryptocurrency wallets, and popular messaging applications, in addition to capturing clipboard contents. The malware also features keylogging, screenshot capture, live desktop streaming, and remote shell access, effectively giving operators complete command over the infected system.
QUIC and WebSocket for Silent Communication
Salat is designed to prioritize the most effective communication channels for connecting with its command server, with a strong preference for QUIC and WebSocket protocols. These protocols are commonly used by legitimate web services, allowing Salat’s traffic to blend seamlessly with normal network activity, making it exceptionally difficult to distinguish from benign data flows. The malware only reverts to standard HTTP/2 if both QUIC and WebSocket channels are unavailable.

The addresses of Salat’s C2 servers are stored in a doubly encrypted format within its binary, presenting a significant challenge for reverse engineering and extraction. Analysis revealed five distinct server addresses, all sharing an identical path structure. To ensure resilience, if the malware fails to establish a connection after five consecutive attempts, it automatically cycles to the next server in its hardcoded list.
A particularly notable feature of Salat is its sophisticated backup communication mechanism: the TON (The Open Network) blockchain. Should all hardcoded C2 servers become unreachable, the malware queries the TON network via Cloudflare’s encrypted DNS service to retrieve new server addresses. This innovative use of a decentralized blockchain makes Salat exceptionally difficult to neutralize completely, as the blockchain itself cannot be easily taken offline.
Data Theft and Persistence on Infected Machines
Salat’s data theft capabilities are extensive, surpassing those of many common malware tools. It targets saved passwords and cookies from both Chromium-based and Firefox browsers, extracts tokens from applications like Discord and Steam, and exfiltrates cryptocurrency wallet files. All collected data is compressed into a ZIP archive before transmission, minimizing file sizes and further reducing the likelihood of detection during transfer.
To ensure persistence across system reboots, Salat employs a multi-pronged approach with three distinct methods. It copies itself to a system folder, adopting a deceptive filename such as explorer.exe or svchost.exe, and marks the file as hidden. Furthermore, it establishes a scheduled task that executes at every user login and repeats every 30 minutes. Finally, it adds a registry key to ensure its launch with every Windows startup.
What You Should Do
- Implement robust network monitoring for unusual outbound connections, particularly those utilizing QUIC or WebSocket protocols, especially to unfamiliar domains.
- Regularly audit system files for hidden executables or those impersonating legitimate Windows processes (e.g.,
explorer.exe,svchost.exe) in atypical locations. - Ensure all endpoint detection and response (EDR) solutions and antivirus software are up-to-date with the latest signatures and behavioral detection capabilities for Go-based malware.
- Periodically review and audit scheduled tasks and registry run keys for any unknown or suspicious entries that could indicate persistence.
- Educate users on phishing and social engineering tactics, as these are common initial infection vectors for RATs like Salat.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 25802493e7ef64523d6ab13ad6e5555b2b08fd4576ae2edd905ad939d256aa3a | Salat malware sample hash |
| SHA-1 | b8f4a8c2e7d1f3a9b5c6d8e0f1a2b3c4d5e6f7a8 | Salat malware sample hash |
| MD5 | 25802493e7ef64523d6ab13ad6e5555b | Salat malware sample hash |
| URL | https://salator[.]es/sa1at/ | Salat C2 server endpoint |
| URL | https://wrat[.]in/sa1at/ | Salat C2 server endpoint |
| URL | https://websalat[.]top/sa1at/ | Salat C2 server endpoint |
| URL | https://salat[.]cn/sa1at/ | Salat C2 server endpoint |
| URL | https://wrat[.]in:992/sa1at/ | Salat C2 server alternate port endpoint |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.