Back

SilabRAT Trojan Targets Cryptocurrency with Session Hijacking Techniques

Severity: High (Score: 69.5)

Sources: securelist.com, Group-Ib, Infosecurity-Magazine

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: silabrat, trojan, sessions, remote, access, sold, forums

Severity indicators: ot, trojan, rat

Summary

The SilabRAT, a Remote Access Trojan (RAT), has emerged on dark web forums as a Malware-as-a-Service (MaaS) offering since late 2025, priced at $5,000 per month. Developed by the Russian-speaking actor 'o1oo1', it is designed to hijack victims' logged-in sessions to steal cryptocurrency, bypassing passwords and multi-factor authentication. The malware employs a hidden virtual network computing (HVNC) solution and browser-profile cloning to maintain control over the victim's session. It has been reported that over 90% of infected machines remained online during a month-long campaign. SilabRAT is often distributed through email spam and ClickFix lures, with antivirus tools misclassifying it as HijackLoader. The developer also offers a code-obfuscation tool called AsmCrypt, which is sold alongside SilabRAT. Group-IB analysts have observed its real-world deployment and expect its focus on cryptocurrency theft to intensify. Security experts recommend enforcing multi-factor authentication and keeping systems updated to mitigate risks. Key Points: • SilabRAT is a new RAT sold as a MaaS for $5,000 per month, focusing on cryptocurrency theft. • It employs advanced techniques like session hijacking and browser-profile cloning to bypass security measures. • Over 90% of infected machines reportedly stayed online during campaigns, indicating high operational effectiveness.

Detailed Analysis

**Impact** SilabRAT targets cryptocurrency users by hijacking browser sessions to steal wallet credentials and assets. Operators have reported over 90% persistence of infected machines during month-long campaigns, indicating sustained access. The malware primarily affects individuals and organizations involved in cryptocurrency transactions, with a focus on Russian-speaking cybercriminal forums for distribution. Financial losses stem from compromised wallets and session hijacking, with potential expansion to Electron-based wallet applications like Ledger Live and Trezor Suite. **Technical Details** SilabRAT is delivered via email spam and ClickFix lure campaigns, operating as a MaaS with buyers hosting their own C2 infrastructure. It employs hidden virtual network computing (HVNC) for stealthy remote control and clones entire browser profiles—including extensions and fingerprinting data—to bypass session security. The malware uses a DLL (Target.dll) for hooking file calls, COM-elevation to bypass Chrome’s App-Bound Encryption, and clipboard hijacking to replace wallet addresses mid-transaction. Persistence is maintained through registry keys and scheduled tasks, with keystroke logging and clipboard capture capabilities. The RAT is often detected as HijackLoader packer, though the payload remains unclassified. **Recommended Response** Enforce multi-factor authentication (MFA) across all accounts, especially for cryptocurrency platforms. Ensure Chrome browsers are fully patched to mitigate COM-elevation bypasses and deploy phishing and web filtering to reduce infection vectors. Monitor for unusual HVNC sessions and cloned browser profiles, and block known IOCs from Group-IB’s intelligence portal where available. Increase vigilance on registry and scheduled task modifications indicative of persistence mechanisms.

Source articles (3)

  • SilabRAT, What's Your Power? | Group — Group-Ib · 2026-06-10
    SilabRAT is an advanced Remote Access Trojan (RAT) sold as a Malware-as-a-Service (MaaS) on Darkweb forums. Developed by the threat actor "o1oo1," SilabRAT is heavily focused on financial gain through…
  • Kaspersky blog in 2023 — securelist.com · 2026-06-10
    As long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making malware, we’ll keep analyzing it, publishing reports and providing protection. Last month we…
  • New SilabRAT Trojan Hijacks Sessions to Steal Crypto — Infosecurity-Magazine · 2026-06-10
    A new remote access trojan sold on dark web forums has been built to drain cryptocurrency, hijacking victims' logged-in sessions to slip past passwords and multi-factor checks. Dubbed SilabRAT, the ma…

Timeline

  • 2025-09-01 — SilabRAT first advertised on dark web: SilabRAT began appearing on Russian-language cybercriminal forums as a MaaS offering.
  • 2025-12-01 — SilabRAT real-world deployment observed: Group-IB analysts noted the use of SilabRAT in email spam and ClickFix campaigns.
  • 2026-01-05 — RAMP ransomware forum taken down: The FBI dismantled the RAMP forum, which had previously advertised SilabRAT.
  • 2026-06-10 — Infosecurity Magazine reports on SilabRAT: Infosecurity Magazine published an analysis detailing SilabRAT's capabilities and attack methods.

Related entities

  • Malware (Attack Type)
  • Trojan (Attack Type)
  • ClickFix (Malware)
  • Arkei (Malware)
  • DoubleFinger (Malware)
  • Lumma (Malware)
  • Mars (Malware)
  • Oski (Malware)
  • SilabRAT (Malware)
  • Vidar (Malware)
  • Zanubis (Malware)
  • Peru (Country)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • clipping.in (Domain)
  • cookies.it (Domain)
  • here.in (Domain)
  • kaspersky.com (Domain)
  • socket.io (Domain)
  • [email protected] (Email)
  • Financial (Industry)
  • AsmCrypt (Tool)
  • Chrome (Tool)
  • GoogleChromeElevationService (Tool)
  • MinHook (Tool)
  • Obfuscapk (Tool)
  • TightVNC (Tool)
  • 054061a4f0c37b0b353580f644eac554 (Md5)
  • 248b2b76b5fb6e35c2d0a8657e080759 (Md5)
  • 41d72de9df70205289c9ae8f3b4f0bcb (Md5)
  • 5aac51312dfd99bf4e88be482f734c79 (Md5)
  • 6b4c224c16e852bdc7ed2001597cde9d (Md5)
  • 844ab1b8a2db0242a20a6f3bbceedf6b (Md5)
  • 8d99c2b7cf55cac1ba0035ae265c1ac5 (Md5)
  • 9b00a65f117756134fdb9f6ba4cef61d (Md5)
  • a09daf5791d8fd4b5843cd38ae37cf97 (Md5)
  • a2c115d38b500c5dfd80d6208368ff55 (Md5)
  • a518eff78ae5a529dc044ed4bbd3c360 (Md5)
  • c2a9151e0e9f4175e555cf90300b45c9 (Md5)
  • d1f506b59908e3389c83a3a8e8da3276 (Md5)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1115 - Clipboard Data (Mitre Attack)
  • T1547.001 - Registry Run Keys / Startup Folder (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1548.002 - Bypass User Account Control (Mitre Attack)
  • T1555.003 - Credentials From Web Browsers (Mitre Attack)
  • T1562.001 - Disable Or Modify Tools (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1574.001 - DLL (Mitre Attack)
  • Android (Platform)
  • Electron (Platform)
  • Ledger Live (Platform)
  • Tor (Platform)
  • Trezor Suite (Platform)
  • Windows (Platform)
  • BlackMatter (Ransomware Group)
  • Lockbit (Ransomware Group)
  • RAMP (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed