Salat Stealer is a sophisticated Go based RAT and info-stealer with TON blockchain C2 fallback six mode string obfuscation QUIC transport and full credential harvesting from browsers crypto wallets Discord and Steam tokens.
There was a time when writing malware involved writing low level code in assembler or C manually handling every function of the OS and still getting caught by antivirus. But in 2026 that era is long gone. Today threat actors are using the Go programming language a language that is cross-platform and produces a single binary after compilation and reverse engineering which is nothing short of a nightmare for analysts. And when an attacker writes malware in this language that uses the TON blockchain as a C2 backup its not just a tool and its a professional grade post exploitation framework. This malware is called Salat Stealer.
The DarkAtlas research team published a full technical dissection of this malware on May 6, 2026 and believe it or not, what they found inside turned out to be much more dangerous and sophisticated than initially thought.
This is not just a simple credentials stealer and its a complete attacker toolkit packed into a single binary remote shell webcam streaming, keylogger, SOCKS5 proxy browser and crypto wallet theft and a C2 architecture thats practically shutdown-proof.
Inside Salat Stealer How This Malware Became a Full Hacking Framework
As soon as execution begins, the malware first does its job retrieve its own disk path by calling os.Executable(). This path is subsequently used in three tasks: to establish persistence to perform injection checks, and most interestingly to derive cryptographic material. You heard that right.
key derivation for AES-128-GCM decryption mode 1 Image (source : Darkatlas)
The malware creates decryption keys from the contents of its own binary. The first key is simply the MD5 hash of the string biba which is used forAES-128-GCM decryption. But in the third mode a hexadecimal representation of a Russian phrase is used as an XOR key and this detail points to a possible Russian-speaking developer or at least deliberately planted misdirection.
Then comes Agent ID generation which is a key technical feature of this malware. The malware combines the victims hostname hardware ID (HWID) and a hardcoded salt string LDrx1ePUV27Zt8tq2S14 to generate an MD5 hash converting it into a 32-character hex string that becomes the permanent unique identifier of that specific machine. This ID is embedded in every C2 beacon. This means your machine is globally uniquely tracked to the attackers server since the first connection.
Salat Stealer debugger view showing main generateHWID function creating unique victim agent ID from hostname and HWID… Image (source : Darkatlas)This malware has six different decryption modes and all of them are strategic. One mode is AES-GCM, second is XOR third is hex-over-hex pipeline. C2 URLs themselves are doubly encrypted in binary. First decrypt Mode 4 and then decode the hex and then decrypt with Mode 1 AES-GCM to get the original URL. Static analysis tools cannot handle this chain automatically analyst has to trace each step manually.
Talking about C2 infrastructure there are five hardcoded endpoints salator[.]es, wrat[.]in, websalat[.]top salat[.]cn and a non-standard HTTPS portwrat[.]in:992. At the transport layer the malware first tries QUIC (HTTP/3) because it is UDP-based and traditional network monitoring tools cannot easily identify it. If QUIC is blocked then WebSocket then HTTP/2 is the automatic fallback chain. And if all these five endpoints fail then begins the feature that makes this malware truly exceptional.
TON Blockchain C2 Fallback is the most advanced C2 resilience technique in the 2026 malware landscape. When all hardcoded endpoints fail the malware queries Cloudflares DNS-over-HTTPS resolverand decodes a smart contract address on the TON blockchain, verifies the signature using RSA modular exponentiation, and then parses JSON to recover a fresh C2 URL.
This means that as long as the TON blockchain exists and the smart contract is funded, this malware C2 cannot be permanently taken down. No domain takedown can occur. No ISP can block it. And this technique is still relatively uncommon which clearly puts this malware in the category of an advanced threat actor.
There are four embedded RSA public keys for communications that encrypt beacon data stolen credentials and screenshots. This means that even if the traffic is intercepted and it will not be decrypted without the private key.
Talking about system reconnaissance, before sending the first beacon, the malware collects a complete hardware profile GPU name CPU name OS version total RAM active window title and admin privilege status all through WMI queries. All this is marshaled in JSON and sent to C2 in encrypted form. The attacker immediately knows whether the infected machine is powerful or not has admin rights or not and decides the next commands accordingly.
Win32_OperatingSystem and TotalPhysicalMemory for system fingerprinting. Image (source : Darkatlas)
You will be amazed by the scope of its data theft capabilities. The malware runs a dedicated Main.Steel function that collects encrypted passwords from Chromium based browsers by decrypting them via Windows DPAPI and extracting them into plain text and stealing credentials from Firefox/Gecko NSS libraries stealing Discord tokens that grant direct access to Discord accounts, extracting Steam session tokens, accessing crypto wallet files capturing clipboard data taking screenshots listing running processes and packing it all into a ZIP archive and uploading it to a C2 server. All systematically quietly in the background.
The keylogger is also launched via a dedicated -k argument mode that simply captures keystrokes and exits so it can remain hidden as a separate lightweight process.
with WH_KEYBOARD_LL hook for keystroke capture. Image (source : Darkatlas)
The full set of remote control commands is a proper hacking toolkit. Command 4 starts a WebSocket session in which the remote desktop, interactive shell, webcam, microphone, and file manager are all live.
Command e establishes a P2P SOCKS5 proxy tunnel that the attacker can use the infected machine as a proxy node for lateral movement to other systems. Command b performs a UAC bypass attempt. Command 2 self destructs and erases traces. These commands are designed for an operator who wants full post exploitation access not just credentials but complete machine control.
There are three different mechanisms of persistence. First Copy the executable to the system folder and set the FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM flag to make it invisible. Second Create a hidden task in Windows Task Scheduler that runs automatically at every user logon and every 30 minutes. Third Entry in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key automatic start at system boot. And whats more cunning than these three is that the malware renames itself explorer.exe svchost.exe, lsass.exe & csrss.exe all legitimate Windows system process names that not only common users but even many IT admins don’t notice in Task Manager.
Salat Stealer Defense Guide What Security Teams Must Do Now
Understanding Salat Stealer isn’t just malware analysis its understanding the level of threat actor capabilities reached in 2026. Go-based malware means a single compiled binary that can run on Windows Linux, macOS all with minimal modification. AES-GCM + XOR + Hex layered encryption means static YARA rules make it difficult to detect.
TON blockchain fallback means infrastructure takedown is practically impossible. QUIC transport means bypass of network level detection. And masquerading as Windows system process names making it difficult to spot.But defenders still have tools if they use them correctly.
First load the YARA rule published by DarkAtlas into your security stack immediately. This rule specifically targets the LDrx1ePUV27Zt8tq2S14 salt string browser password SQL queries DNS-over-HTTPS Cloudflare endpoints and logon session WMI query strings all highly specific artifacts that should not occur in legitimate software. This rule is useful in both executable scanning and memory forensics.
Add the following IOCs to your SIEM, firewall, and DNS filtering salator[.]es wrat[.]in websalat[.]top, salat[.]cn each with a /sa1at/ path these are C2 communication endpoints. Add the SHA-256 hash 25802493e7ef64523d6ab13ad6e5555b2b08fd4576ae2edd905ad939d256aa3a to the block list in endpoint protection solutions.
Focus on behavioral detection because static signatures are limited here. Flag processes that are named explorer.exe or svchost.exe but do not have their usual parent process or are running from locations where these files would not normally be (like %AppData% or %Temp%). Audit any new tasks in Scheduled tasks that have both a LogonTrigger and a 30 minute TimeTrigger. Immediately investigate unexpected entries in Registry Run keys.
At the network level monitor QUIC connections in UDP traffic especially with unknown domains. Monitor outbound DNS over HTTPS traffic when malware is querying the TON blockchain from Cloudflare 1.1.1.1/dns-query. This is a detectable network pattern if your network monitoring layer performs application layer DNS decoding.
A specific warning for crypto wallet users Salat accesses Stellar wallet files directly Hot wallets like Metamask Exodus and browser-based wallets are specifically targeted. Cold hardware wallets are safe from this vector Hardware wallets are a necessity not a luxury for high-value crypto holdings in 2026.
Discord and Steam users have token-based authentication on these platforms. Once the token is stolen even changing the password does not invalidate the session unless you explicitly logout all active sessions. If you suspect an infected system remotely logout all active sessions on Discord and Steam.
Salat Stealer is not a name you’ll forget tomorrow. Its an example of malware design philosophy where the attacker has thought of a solution to every single failure point. If one C2 fails try another. If all fail take it from the blockchain. If static analysis is done there are six modes of obfuscation. If the process is seen its the name of a legitimate Windows process.
If its deleted there are three different persistence mechanisms. This is the opposite of defense-in-depth offense-in-depth. And this level of engineering happens when the attacker has all three time resources and motivation. Now the defender must also have all three time resources, and the motivation to take it seriously. Because this time the warning has come first it may not come next time.
