Salat Malware: A New Stealthy Threat Leveraging QUIC and WebSocket for Remote Control
A newly identified malware named Salat has emerged as a significant concern within the cybersecurity community due to its sophisticated design and extensive capabilities. Developed using the Go programming language, Salat functions as a comprehensive remote access trojan (RAT), granting attackers deep and persistent access to compromised systems. Its multifaceted nature allows it to perform a wide array of malicious activities, ranging from credential theft to real-time surveillance through screen and webcam access.
One of the most alarming aspects of Salat is its method of communication with command-and-control (C2) servers. By utilizing modern protocols such as QUIC and WebSocket, the malware effectively camouflages its traffic within normal internet activity, thereby evading detection by conventional security tools. This strategic use of widely adopted protocols enhances its stealth, making it a formidable threat.
In-Depth Analysis of Salat’s Operations
Researchers from DarkAtlas conducted a comprehensive analysis of Salat, publishing their findings on May 6, 2026. Their investigation revealed that Salat exhibits a high level of sophistication, indicative of meticulous planning and professional development. Notably, the malware employs six distinct methods to obfuscate its internal strings, complicating efforts to analyze and detect its presence.
Upon infection, Salat initiates an extensive data collection process, gathering detailed information about the host system, including operating system specifics, CPU and GPU details, memory capacity, and active applications. This information is then encrypted and transmitted to the attacker’s server, providing a comprehensive profile of the compromised machine.
Beyond system profiling, Salat extends its reach to various applications and data sources. It targets web browsers, cryptocurrency wallets, messaging applications, and clipboard contents. The malware is capable of logging keystrokes, capturing screenshots, streaming the desktop in real-time, and opening a remote shell for direct command execution. These capabilities effectively grant attackers full operational control over the infected system.
Utilization of QUIC and WebSocket for Concealed Communication
Salat is engineered to select the most effective communication method with its C2 servers, prioritizing QUIC and WebSocket protocols. These protocols are commonly used by legitimate web services, allowing the malware’s traffic to blend seamlessly into regular network activity. This strategic choice significantly reduces the likelihood of detection by security monitoring tools.
The malware’s C2 server addresses are stored within its binary in a doubly encrypted format, making extraction and analysis challenging. Researchers managed to decode five distinct server addresses, all sharing a similar path structure. If Salat fails to establish a connection after five consecutive attempts, it automatically rotates to the next server on its list, ensuring persistent communication channels.
Implications and Recommendations
The emergence of Salat underscores the evolving landscape of cyber threats, where attackers continuously develop more sophisticated and stealthy tools. The use of modern protocols like QUIC and WebSocket for C2 communications exemplifies this trend, as these protocols are designed for efficiency and are widely adopted, making malicious traffic harder to distinguish from legitimate activity.
To mitigate the risks associated with Salat and similar threats, organizations should consider implementing the following measures:
1. Enhanced Network Monitoring: Deploy advanced network monitoring solutions capable of analyzing traffic patterns and identifying anomalies associated with QUIC and WebSocket communications.
2. Endpoint Detection and Response (EDR): Utilize EDR solutions that can detect and respond to suspicious activities on endpoints, such as unauthorized access to sensitive applications or unusual process behaviors.
3. Regular Software Updates: Ensure that all systems and applications are up to date with the latest security patches to reduce vulnerabilities that malware like Salat can exploit.
4. User Education: Conduct regular training sessions to educate employees about phishing tactics and the importance of not downloading or executing unverified software.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action can be taken in the event of a malware infection.
By adopting a proactive and layered security approach, organizations can enhance their defenses against sophisticated malware threats like Salat, thereby safeguarding their systems and sensitive data from potential compromise.
