New Remote Access Trojan Targets Cryptocurrency: SilabRAT
A recently discovered remote access trojan (RAT), named SilabRAT, has emerged on various dark web forums, designed specifically to drain cryptocurrency from victims. This sophisticated malware exhibits a concerning capability of hijacking the logged-in sessions of unsuspecting users, allowing it to bypass both passwords and multi-factor authentication protections.
According to an in-depth analysis released by cybersecurity firm Group-IB, SilabRAT has been available since late 2025 as a malware-as-a-service (MaaS), costing potential buyers around $5,000 per month. This development indicates not just a new threat but a growing trend in the malicious software landscape, where access to powerful tools is increasingly commoditized.
The mastermind behind SilabRAT is an individual known as o1oo1, who is believed to be a Russian-speaking actor in the cybercrime space. Alongside SilabRAT, o1oo1 also markets a code-obfuscation tool named AsmCrypt, enticing customers with discounted offers if they purchase both products.
SilabRAT operates through various campaigns typically orchestrated by its buyers, who often resort to email spam and lures like ClickFix to distribute the malware. Notably, antivirus programs frequently misidentify SilabRAT’s activity as the HijackLoader packer rather than the malicious payload itself. One operator reported a striking statistic: more than 90% of infected systems remained online throughout a month-long operation, highlighting the effectiveness of this malware.
Mechanisms of Control: HVNC and Browser-Profile Cloning
Two key features distinguish SilabRAT from other forms of malware. First, it incorporates a hidden virtual network computing (HVNC) solution that grants operators the ability to control a compromised machine without any visible signs of activity, such as window or cursor movement. Because the actions are executed via the user’s device and IP address, many security tools mistakenly classify the activity as legitimate.
Secondly, SilabRAT utilizes browser-profile cloning, which goes beyond the mere theft of cookies. Modern web applications commonly bind user sessions to specific device fingerprints or IP addresses. In a more advanced maneuver, SilabRAT replicates the entire browser profile—including extensions, stored data, and fingerprinting traits—into the attacker’s system. This capability allows the attacker to restore the session exactly as it appeared to the victim.
These two functionalities are interconnected. SilabRAT employs a bundled dynamic-link library (DLL) named Target.dll, which intercepts low-level file calls so the browser opens the cloned profile. This allows a hidden session to operate using the victim’s live data seamlessly while leaving the actual desktop untouched.
Cryptocurrency Targeting: A Lucrative Pursuit
The primary motivation behind SilabRAT’s design is the theft of cryptocurrency. Once infected, a background module remains active, continuously searching for cryptocurrency wallets on the newly compromised systems. It attempts to crack the passwords of these wallets by leveraging credentials harvested from the victim’s browser and works through a pre-defined list of compatible wallets.
To gain access to browser secrets, SilabRAT employs a cunning method that bypasses Chrome’s App-Bound Encryption through a COM-elevation technique. Additionally, a clipboard clipper component allows the malware to swap any copied wallet address for one controlled by the attacker during real-time transactions, further enhancing its ability to siphon funds in transit.
Besides its specialized functions, SilabRAT includes traditional RAT features commonly seen in similar malware, including:
- Keystroke logging and clipboard capture
- Remote desktop access via TightVNC
- User account control bypass, a tactic also seen in infamous strains like LockBit and BlackMatter
- Persistence mechanisms, utilizing registry keys or scheduled tasks to ensure ongoing access
Group-IB anticipates that the focus on cryptocurrency will continue to intensify, revealing the developer’s intent to further infiltrate Electron-based wallet applications, like Ledger Live and Trezor Suite.
In light of this evolving threat landscape, Group-IB has urged organizations and individuals to implement robust protective measures. These include enforcing multi-factor authentication (MFA), ensuring that Chrome and other software are kept up to date, and enhancing phishing and web filtering strategies. However, experts caution that even with these defenses in place, a hijacked session could readily bypass a password prompt, underscoring the urgent need for vigilance in cybersecurity practices.