SilabRAT: A Stealthy Crypto-Draining Malware Emerges as MaaS
A new remote access trojan (RAT), SilabRAT, has surfaced on dark web forums, designed to bypass passwords and multi-factor authentication (MFA) by hijacking active user sessions to drain cryptocurrency. First advertised in late 2025 by a Russian-speaking threat actor known as o1oo1, the malware is offered as a malware-as-a-service (MaaS) for $5,000 per month. Buyers who often distribute it via email spam and ClickFix lures have reported success rates, with over 90% of infected machines remaining online during month-long campaigns.
SilabRAT evades detection by disguising itself as HijackLoader, a known packer, rather than its true payload. Its standout features include:
- Hidden Virtual Network Computing (HVNC): Operators control infected machines without visible windows or cursor movement, making activity appear as legitimate user sessions.
- Browser-Profile Cloning: The malware copies entire browser profiles including extensions, storage, and device fingerprints to an attacker’s system, allowing stolen sessions to persist even after logouts. A Target.dll module ensures the cloned profile loads seamlessly on the victim’s device.
The malware’s primary goal is cryptocurrency theft. A background module scans for wallets upon infection, attempting to crack passwords using credentials harvested from the victim’s browser. It bypasses Chrome’s App-Bound Encryption via a COM-elevation technique and includes a clipboard clipper to swap wallet addresses mid-transaction. Additional capabilities include:
- Keystroke logging and clipboard monitoring
- Remote desktop access via TightVNC
- A UAC bypass previously used by LockBit and BlackMatter
- Persistence through registry keys or scheduled tasks
Group-IB, which analyzed the threat, warns that SilabRAT’s developer plans to expand its reach by injecting code into Electron-based wallet apps, such as Ledger Live and Trezor Suite. While traditional defenses like MFA and patching can help, the malware’s session-hijacking tactics allow it to bypass even secured logins.
Source: https://www.infosecurity-magazine.com/news/silabrat-trojan-session-hijacking/
Trezor cybersecurity rating report: https://www.rankiteo.com/company/trezor
The Security Ledger cybersecurity rating report: https://www.rankiteo.com/company/the-security-ledger
"id": "TRETHE1781108679",
"linkid": "trezor, the-security-ledger",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Finance (Cryptocurrency)',
'location': 'Global',
'type': 'Individuals/Cryptocurrency users'}],
'attack_vector': ['Email spam', 'ClickFix lures'],
'data_breach': {'data_encryption': "Bypassed (Chrome's App-Bound Encryption)",
'data_exfiltration': 'Yes (cloned browser profiles, wallet '
'data)',
'personally_identifiable_information': 'Yes (browser '
'profiles, session '
'data)',
'sensitivity_of_data': 'High (PII, financial data)',
'type_of_data_compromised': ['Browser profiles',
'Wallet credentials',
'Keystrokes',
'Clipboard data']},
'date_detected': '2025',
'description': 'A new remote access trojan (RAT), SilabRAT, has surfaced on '
'dark web forums, designed to bypass passwords and '
'multi-factor authentication (MFA) by hijacking active user '
'sessions to drain cryptocurrency. The malware is offered as a '
'malware-as-a-service (MaaS) and distributed via email spam '
'and ClickFix lures. It evades detection by disguising itself '
'as HijackLoader and includes features like Hidden Virtual '
'Network Computing (HVNC), browser-profile cloning, and '
'cryptocurrency theft capabilities.',
'impact': {'data_compromised': ['Browser profiles',
'Wallet credentials',
'Keystrokes',
'Clipboard data'],
'financial_loss': 'Cryptocurrency theft',
'identity_theft_risk': 'High (session hijacking, PII exposure)',
'operational_impact': 'Remote control of infected machines via '
'HVNC',
'payment_information_risk': 'High (cryptocurrency wallet theft)',
'systems_affected': 'Infected machines (Windows)'},
'initial_access_broker': {'backdoors_established': 'HVNC, TightVNC',
'entry_point': ['Email spam', 'ClickFix lures'],
'high_value_targets': 'Cryptocurrency wallets'},
'investigation_status': 'Ongoing (threat analysis by Group-IB)',
'lessons_learned': 'Traditional defenses like MFA and patching may be '
'insufficient against session-hijacking malware. Enhanced '
'monitoring and behavioral analysis are critical.',
'motivation': 'Financial gain (cryptocurrency theft)',
'post_incident_analysis': {'corrective_actions': ['Enhance detection for '
'session cloning and HVNC '
'activity',
'Improve wallet security '
'measures',
'Monitor for UAC bypass and '
'COM-elevation techniques'],
'root_causes': ['Malware-as-a-Service (MaaS) '
'distribution model',
'Session-hijacking capabilities',
'Evasion techniques (HijackLoader '
'disguise, HVNC)']},
'recommendations': ['Implement behavioral-based detection for HVNC activity',
'Monitor for unusual session cloning or device '
'fingerprint spoofing',
'Enhance wallet security with hardware-based solutions',
'Educate users on phishing and ClickFix lures'],
'references': [{'source': 'Group-IB'}],
'response': {'third_party_assistance': 'Group-IB (threat analysis)'},
'threat_actor': 'o1oo1 (Russian-speaking)',
'title': 'SilabRAT: A Stealthy Crypto-Draining Malware Emerges as MaaS',
'type': 'Malware (RAT)',
'vulnerability_exploited': ['Session hijacking',
'UAC bypass',
'COM-elevation technique']}