Introduction
By this point, the security community has analyzed countless Remote Access Trojans (RATs), so one might ask: Who needs another RAT analysis? Rather than simply cataloging another piece of malware, this still provides an opportunity to shed educational light on how attacker tooling continues to evolve. While reputable RAT families remain popular among adversaries, some have begun searching for alternatives. Well-known RATs are heavily monitored, and therefore easily classified or detected by modern security solutions.
As a result, attackers frequently experiment with newer, less common tools in an effort to evade detection and extend operational longevity. In this blog, we deep-dive into SilabRAT and look at some of its interesting capabilities.
Key Discoveries
- SilabRAT was first observed to be sold on Darkweb forums in late-2025.
- Usually identified as Hijackloader by Antivirus engines due to its usage.
- Utilizes Hidden Virtual Network Computing (HVNC) to facilitate remote control capabilities that remain concealed from the user.
- Session access options also include Browser Profile Cloning to bypass modern session protections (e.g., device fingerprinting, IP binding).
- Has a focus on cryptocurrency-related capabilities—such as identifying wallet addresses or extracting crypto-related artifacts.
Who may find this blog interesting:
- Cybersecurity analysts and corporate security teams
- Malware analysts
- Law enforcement investigators
Group-IB Threat Intelligence Portal: o1oo1
Group-IB customers can access our Threat Intelligence portal for more information about the threat actor and malware mentioned in this blog:
Darkweb Distribution
SilabRAT has been offered as a Malware-as-a-Service (MaaS) in Darkweb communities since at least September 2025. This distribution model requires buyers to pay a monthly subscription to deploy the malware in their own campaigns while the seller-developer handles all updates and infrastructure setup. The remote access trojan is seen advertised across multiple Russian-language cybercriminal forums – Exploit, XSS, WWH, including the ransomware-focused RAMP (before it was taken down by the FBI in January 2026).
The subscription price for SilabRAT is stated at $5,000 per month. Unlike some MaaS platforms, this malware uses an operator-hosted model: each buyer runs their own C2 server, and the seller-developer has no access to victim data.
Figure 1: Sale thread for SilabRAT on the cybercriminal forum Exploit.
SilabRAT Seller-Developer
The person behind SilabRAT goes by the moniker “o1oo1”. o1oo1 is a Russian-speaking malware developer and vendor that has been present in underground forums since late 2020. The threat actor started out with entry-level hacking activities – selling bulk SMTP credentials, exchanging data leaks, and participating in carding and phishing discussions.
Figure 2: One of the first messages posted by o1oo1 on Exploit forum in late 2021.
By 2023, however, o1oo1 had made the jump from buyer to a malware developer, launching a private crypter service (from Russian “криптер”, which means a tool for code obfuscation). The service is known publicly as AsmCrypt, covered by this Kaspersky blog in 2023.
AsmCrypt offers unique malware stubs written in pure C, with full scantime, runtime, and cloud evasion across x64/x86 and .NET files. This obfuscation tool is still actively promoted in hacking communities, and sold separately at a $3,000-per-month subscription.
Figure 3: AsmCrypt sale thread from XSS forum.
Figure 4: AsmCrypt’s interface shared in one of the forum threads.
AsmCrypt can be considered as the intended obfuscation layer for SilabRAT itself – buyers who subscribe to both tools even get a $1,000 discount, creating a malware bundle that offers the full chain from defense evasion to execution and remote control.
Infection Chain
This RAT has already seen real-world use. Through the course of this research, Group-IB analysts have observed buyers of SilabRAT deploying it in email spam and ClickFix attack campaigns, with one cybercriminal reporting more than 90% of infected machines stayed online throughout a month-long campaign. Analysis flagged most of the files as Hijackloader, though this classification applied only to the packer, leaving the payload unclassified.
However, it must be noted that the infection chain of SilabRAT can vary since cybercriminals are running their own campaigns. In Group-IB’s observed case, the victim was compromised through the ClickFix social engineering technique. Victims typically encounter a ClickFix prompt through three main methods: phishing, malicious advertisements, or visiting compromised websites.You can read all about the ClickFix technique in another blogpost here.
Figure 5: ClickFix infection chain.
Inside the Web Panel
SilabRAT uses an operator-hosted C2 model – buyers acquire the infrastructure, deploy the web panel themselves, and retain ownership of victim data. There is no central infrastructure shared between customers, except for the platform operated by the developer to sell and manage active subscriptions, which is located in TOR.
Figure 6: Customer panel for SilabRAT MaaS.
The RAT panel itself is a full bot management interface, giving operators a real-time view of connected machines alongside hardware details, active windows, and running software. From there, operators can task individual bots or groups – to launch HVNC sessions, trigger the stealer, execute payloads via the loader, or monitor keystrokes and clipboard activity. The AutoWallet module runs in the background continuously, automatically attempting to crack passwords on any cryptocurrency wallets that arrive from new infections.
Figure 7: SilabRAT bot management interface.
Figure 8: SilabRAT web interface (unauthorized).
Figure 9: Event manager in the web panel.
Figure 10: Downloader interface in the control panel.
Additionally, SilabRAT customers can set up mirrors of their own web panel with limited access, allowing affiliates/workers to access live victim sessions simultaneously.
Figure 11: SilabRAT affiliate web panel access.
SilabRAT Capabilities
Credential extraction and auto-cracking
Features related to credential extraction are a significant selling point for potential buyers. Beyond simply collecting cryptocurrency wallet data and stored credentials, the panel also advertises functionality that assists buyers in automatically cracking wallet passwords. This is achieved by leveraging passwords harvested from the victim’s browser data, which are then used to attempt password recovery for encrypted wallets. By integrating this capability directly into the panel, the service reduces the need for buyers to rely on external password-cracking tools, making the overall process more streamlined and convenient for operators.
Figure 12: AutoVault module cracking crypto wallet passwords.
Figure 13: List of supported cryptocurrency wallets.
Bypass Chrome App-Bound Encryption
Chrome App-Bound Encryption (ABE) is a feature introduced in Chrome version 127 that encrypts sensitive browser secrets in a way that is cryptographically tied to Chrome’s own process identity, so that even if malware runs as the same user and can call the Windows Data Protection API, it still cannot decrypt those secrets unless it is the legitimate Chrome process itself.
SilabRAT utilizes an additional DLL named “APPB.dll” to employ the widely utilized technique of COM elevation to bypass ABE, where it decrypts the key by creating an instance via the GoogleChromeElevationService. Once initialized, it invokes the DecryptData method to decrypt the “app_bound_encrypted_key” which will then be used to decrypt the encrypted cookies.
Beside the above, there exists other methods to bypass App-Bound Encryption such as elevating to SYSTEM, launching the debugging port (which was made harder from Chrome version 136), or dumping from active memory.
Session hijacking
Session hijacking is often more effective than password theft because it compromises an active authenticated session. This allows attackers to bypass authentication mechanisms, including passwords and multi-factor authentication.
Traditionally, session hijacking is achieved via stealing cookies. It is an old school technique where an attacker steals active session cookies and imports it into their own browser to impersonate the victim. However, many modern websites now bind sessions to additional factors such as device fingerprints and IP addresses, so merely importing cookies will not suffice, leading to the development of additional bypass techniques such as browser profile cloning.
Figure 14: Stealing cookies
Browser profile cloning involves replicating the victim’s browser environment (user agent, extensions, storage, and other fingerprinting attributes) onto another device to bypass these protections. SilabRAT clones a user’s browser profile to the attacker’s system, and the panel claims to provide a custom Chromium build to import these sessions reliably.
HVNC
As browser protection matures, such as cryptographically binding sessions to a user’s physical device, attackers are adjusting their tradecraft toward techniques that maintain access to active sessions on compromised systems, such as Hidden Virtual Network Computing (HVNC). It is often preferred by buyers because of its reliability to bypass such fraud prevention measures. It enables attackers to “invisibly” remotely control a compromised machine, perform financial transactions, or access sensitive information without being detected by the victim. There are no on‑screen indicators: no mouse movement, no windows popping up. And because activity originates from the victim’s real device and IP address, many security systems treat it as a “legitimate” user session rather than a remote hack.
Figure 15: HVNC session in progress on SilabRAT panel.
SilabRAT utilizes a separate DLL called Target.dll that hooks several low-level file and process APIs, such as NtOpenFile and ZwQueryFullAttributesFile. The malware hooks these file system-related browser APIs to intercept requests for the user’s profile directory. Instead of allowing the browser access to its original data, these hooks redirect all file operations to a cloned copy of the profile. As a result, the browser runs using this duplicated profile. This HVNC implementation allows SilabRAT attacks to run in a hidden browser session using the victim’s data, while keeping the original environment untouched.
Defense evasion
The current implementation of the defense evasion technique is limited to straightforward bypasses targeting the Anti-Malware Scan Interface (AMSI). Specifically, the method employs a simplified approach to interfere with the AmsiScanBuffer and AmsiScanString functions, achieved through the use of the MinHook library.
It also contains anti-forensics tricks that tamper with the PEB to make debuggers/tools think the “main executable” is kernel32. Due to this minimal amount of evasion, the author also strongly recommends integrating a crypter solution, which is offered for sale with a discount.
UAC bypass
When necessary, SilabRAT attempts to bypass Windows UAC (User Account Control) by elevating privileges using the ICMLuaUtil COM interface. This is a common bypass found in popular ransomware such as Lockbit and Blackmatter. As such, this presents a good opportunity for detection.
Persistence
Persistence can be additionally configured. The implementation is relatively straightforward, supporting two primary methods. The first leverages Registry Run keys to achieve execution at user logon. The second method utilizes Scheduled Tasks, allowing the malware to execute at predefined intervals or specific system events.
Other common capabilities
SilabRAT is equipped with a comprehensive set of capabilities commonly observed in other Malware-as-a-Service (MaaS) RATs and information stealers. These capabilities include keylogging functionality to capture user keystrokes and also clipboard monitoring, and clipping.
In addition to credential and data theft, SilabRAT provides several system management and remote control features that enable attackers to interact directly with an infected machine. It supports a remote desktop via TightVNC that allows the operator to monitor the victim’s desktop. Additional modules enable remote process execution and downloading of further payloads, allowing attackers to further deploy additional malware after initial compromise.
Future development: Electron injects
SilabRAT’s evolution is still far from complete. The author has written in forum posts future plans to implement fully customizable injection capabilities targeting Electron-based applications. This includes widely used cryptocurrency management platforms such as Ledger Wallet and Trezor Suite. The goal is to enable tailored manipulation of the applications’ runtime behavior by injecting malicious code directly into their Electron processes.
Further Technical Analysis
Configuration details
The RAT uses a plaintext configuration that contains filenames and folder names. They appear randomly generated as per the sample SilabRAT configuration file example below:
{
"tag":"work",
"buildId":"main",
"dd":"%ALLUSERSPROFILE%\\Focosox", // base directory
"ef":"Biha", // events file
"sf":"Yeti", // software file
"kf":"Rodayif", // keylogger file
"c":"Nodamoqa", // subfolder
"ab":"cubouclea", // subfolder for appbound-rel files
"e":true
}
The Command-and-Control (C2) IP address and ports are encapsulated within a separate encrypted blob of size 0x1B2 bytes. This blob employs multiple layers of obfuscation, combining both encryption and compression algorithms such as Chacha-Poly1305, Snappy, Base58, LZMA.
Decrypted traffic data
During the initial key exchange handshake, the server provides a key–nonce pair that serves as the cryptographic material for subsequent communications. All exchanged traffic is then compressed using Snappy and encrypted with ChaCha20-Poly1305.
Analysis of the decrypted traffic data reveals that the server delivers configuration parameters to the client. It also uncovers some of potential targeted applications that may be of interest to the developer and/or attackers using SilabRAT:
Figure 16: Crypto-clipping configuration to swap address.
Figure 17: Some of the targeted applications.
Conclusion
Attackers are constantly seeking new tools that are stable, maintain consistent uptime, and challenging to detect (FUD). When evaluating RAT capabilities, cybercriminals often prioritize features that support data theft, account compromise and align with their operational goals. In this observed case of opportunistic financially motivated cybercriminals, these commonly include credential harvesting, browser cookie extraction, and password recovery functions. In addition, cryptocurrency-related capabilities — such as identifying wallet addresses or extracting crypto-related artifacts — have become increasingly important as attackers seek to monetize access to infected machines.
Despite the abundance of well-documented RATs, analyzing emerging variants remains valuable as attacker priorities and defence evasion techniques continue to evolve. Recognizing these trends will help defenders better anticipate the capabilities and priorities that shape modern commodity malware.
Recommendations
- Stay alert to any requests asking you to download, open, or execute files. Always verify the source and ensure it’s trustworthy before proceeding, in order to protect your device and data from potential cyber threats.
- Implement robust email and web filtering solutions to block known malicious sources and detect phishing attempts, which are common initial vectors for RAT infections like ClickFix social engineering technique.
- Enforce the use of Multi-Factor Authentication (MFA) across all critical services. While session hijacking (via cookie or browser profile cloning) can bypass passwords, MFA significantly increases the difficulty for attackers to gain initial unauthorized access or persist on compromised accounts.
- Regularly update and patch operating systems, browsers (especially Chrome, given the ABE bypass feature), and other software to mitigate vulnerabilities exploited by initial loaders and to ensure that modern security protections (like Chrome’s App-Bound Encryption) are functioning against RAT extraction techniques.
- Keeping your organization secure requires ongoing vigilance. Utilizing a proprietary solution like Group-IB’s Threat Intelligence can enhance your security posture by providing teams with advanced insights into emerging cyber threats allowing you to identify potential risks sooner and implement defenses more proactively.
Frequently Asked Questions (FAQ)
1. What is a Remote Access Trojan (RAT)?
A remote access trojan (RAT) is malware that grants unauthorized remote access to a target’s device. This sophisticated threat allows attackers to control compromised systems undetected. Upon installation, RATs enable various malicious activities, such as monitoring user behavior, extracting sensitive information, and deploying additional malware. Read more about RATs in the Group-IB knowledge hub.
2. What are some of the capabilities of SilabRAT?
- Remote control & monitoring: Utilizes Hidden Virtual Network Computing (HVNC) for invisible remote control, offers remote desktop via TightVNC, and can execute remote commands/payloads.
- Data & credential theft: Steals browser data, extracts active session cookies, captures keystrokes (keylogging), and monitors clipboard activity.
- Cryptocurrency operations: Automatically attempts to crack cryptocurrency wallet passwords, can identify wallet addresses and extract crypto-related artifacts.
- Session access: Session hijacking and/or cloning victim browser profile to an attacker’s system to bypass device fingerprinting and IP binding protections.
3. How is SilabRAT distributed?
SilabRAT is developed by the threat actor known as o1oo1 and is sold as a Malware-as-a-Service (MaaS) on the Darkweb and Russian-language cybercriminal forums (such as Exploit, XSS, WWH, and RAMP) via a monthly subscription model.
MITRE ATT&CK
| Execution | T1059 – Command and Scripting Interpreter
T1047 – Windows Management Instrumentation T1204 – User Execution |
| Persistence | T1053 – Scheduled Task/Job
T1547 – Boot or Logon Autostart Execution |
| Privilege Escalation | T1134 – Access Token Manipulation
T1548 – Abuse Elevation Control Mechanism |
| Defense Evasion | T1480 – Execution Guardrails
T1562 – Impair Defenses T1218 – System Binary Proxy Execution T1027 – Obfuscated Files or Information T1497 – Virtualization/Sandbox Evasion |
| Credential Access | T1552 – Unsecured Credentials
T1056 – Input Capture T1539 – Steal Web Session Cookie T1555 – Credentials from Password Stores |
| Discovery | T1087 – Account Discovery
T1217 – Browser Information Discovery T1083 – File and Directory Discovery T1057 – Process Discovery T1518 – Software Discovery T1082 – System Information Discovery |
| Lateral movement | T1021 – Remote Services |
| Collection | T1560 – Archive Collected Data
T1185 – Browser Session Hijacking T1115 – Clipboard Data T1114 – Email Collection T1113 – Screen Capture |
| Command and Control | T1071 – Application Layer Protocol
T1001 – Data Obfuscation T1571 – Non-Standard Port |
| Exfiltration | T1041 – Exfiltration Over C2 Channel |
| Impact | T1657 – Financial Theft |
Indicators of Compromise (IOCs)
File Indicators
| SHA256 | Classification |
| fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023 | SilabRAT |
| 3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b | APPBDLL.dll (64bit) |
| fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623 | APPBDLL.dll (32bit) |
| 79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5 | Target.dll |
Network IOCs
- 91.199.163[.]124
DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.
Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.
This blog may reference legitimate third-party services such as Telegram and others, solely to illustrate cases where threat actors have abused or misused these platforms.
This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.
All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.
