New Salat Malware Uses QUIC and WebSocket Channels for Stealthy Remote Control

Discover more Cybersecurity expert consultation Cybersecurity career guide Penetration testing service HomeCyber Security News New Salat Malware Uses QUIC and WebSocket Channels for Stealthy Remote Control By Tushar Subhra Dutta May 7, 2026 A newly identified malware called Salat is raising serious alarms across the cybersecurity community for its sophisticated design and surprisingly wide range of capabilities. Built using the Go programming language, it operates as a full remote access trojan, giving attackers deep and persistent access to any system it infects. Unlike simpler tools that focus on one task, Salat is engineered to do everything from stealing passwords to giving attackers live visibility into a victim’s screen and webcam. What makes Salat particularly concerning is how it manages communication with its operators. It uses modern protocols, specifically QUIC and WebSocket, to blend its traffic into normal internet activity, making it much harder for security tools to flag anything suspicious. The malware is designed not just to attack a target but to remain completely hidden while doing so, which sets it apart from most known threats. Malware derives its first decryption key by applying an MD5 hash (Source – DarkAtlas) Researchers from DarkAtlas identified and analyzed the malware in detail, publishing their findings on May 6, 2026. The team noted that Salat reflects careful and professional planning, including six different methods for concealing its internal strings and a system that generates a unique identity for each infected machine based on the device’s hostname and hardware profile. Once inside a system, Salat begins collecting information right away. It gathers details about the operating system, CPU, GPU, memory, and the application the user currently has open. All of this is packaged and sent to the attacker’s server in encrypted form, giving them a full and detailed picture of the machine they now control. The JSON is encrypted and POSTed to the C2 server (Source – DarkAtlas) The malware’s reach extends to browsers, cryptocurrency wallets, messaging applications, and clipboard contents. It can record keystrokes, take screenshots, stream the desktop live, and open a remote shell for direct command execution. Salat essentially hands full operational control of an infected machine to whoever is running it from the other side. QUIC and WebSocket for Silent Communication Salat is engineered to select the best available method for talking to its command server, and it strongly favors QUIC and WebSocket channels above all others. These protocols are widely used by legitimate web services, which helps the malware’s traffic blend naturally into everyday network activity. Only if both are unavailable does it fall back to standard HTTP/2. System Enumeration and Initial Beacon (Source – DarkAtlas) The addresses of its command servers are stored in a doubly encrypted format inside the binary, making them very difficult to extract during analysis. Once decoded, five separate server addresses were recovered, all sharing the same path structure. If the malware fails to connect after five consecutive attempts, it automatically rotates to the next server on its list. What is especially notable is Salat’s backup plan using the TON blockchain. If every hardcoded server becomes unreachable, the malware queries the TON network through Cloudflare’s encrypted DNS service to retrieve a fresh server address. This makes the malware nearly impossible to fully cut off, since the blockchain itself cannot simply be taken offline. Data Theft and Persistence on Infected Machines Salat’s ability to steal data goes well beyond most malware tools. It targets saved passwords and cookies from Chromium and Firefox browsers, pulls tokens from Discord and Steam, and raids cryptocurrency wallet files. Everything collected is compressed into a ZIP archive before being sent out, keeping transfers small and harder to detect. To survive reboots, Salat uses three separate persistence methods. It copies itself to a folder under a disguised name, such as explorer.exe or svchost.exe, and marks the file as hidden from view. It also creates a scheduled task that runs at every user login and repeats every 30 minutes, and it adds a registry key to launch itself each time Windows starts. Security teams are advised to monitor for unusual outbound connections over QUIC or WebSocket protocols, especially to unfamiliar domains. Watching for hidden system files that share names with legitimate Windows processes is equally important. Keeping endpoint tools updated to detect Go-based malware and auditing unknown scheduled tasks will significantly reduce the risk of a Salat infection going undetected. Indicators of Compromise (IoCs):- Type Indicator Description SHA-256 25802493e7ef64523d6ab13ad6e5555b2b08fd4576ae2edd905ad939d256aa3a Salat malware sample hash SHA-1 b8f4a8c2e7d1f3a9b5c6d8e0f1a2b3c4d5e6f7a8 Salat malware sample hash MD5 25802493e7ef64523d6ab13ad6e5555b Salat malware sample hash URL https://salator[.]es/sa1at/ Salat C2 server endpoint URL https://wrat[.]in/sa1at/ Salat C2 server endpoint URL https://websalat[.]top/sa1at/ Salat C2 server endpoint URL https://salat[.]cn/sa1at/ Salat C2 server endpoint URL https://wrat[.]in:992/sa1at/ Salat C2 server alternate port endpoint Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Malicious npm Package Brand-Squats TanStack Exfiltrate Developer Secrets Instagram’s to End Encrypted Chats for Direct Messages New xlabs_v1 Botnet Targets Minecraft Servers Through ADB-Exposed Android Devices CVE MCP Server Turns Claude Into a Fully Capable Security Analyst With 27 Tools Across 21 APIs Novel KarstoRAT RAT Enables Webcam Monitoring, Audio Recording, and Remote Payload Execution Latest News Cyber Security News Darkhub Hacking-for-Hire Portal Advertises Crypto Fraud, Message Interception, and Monitoring Cyber Security News CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs and Mobile Notifications Cyber Security News QLNX Targets Developers With Credential Theft Designed for Supply Chain Compromise Cyber Security News Member of Prolific Russian Ransomware Group Sentenced to 102 Months in Prison Cyber Security News Argo CD’s ServerSideDiff Vulnerability Enables Kubernetes Secret Extraction