SilabRAT: A Stealthy Crypto-Draining Malware Emerges as MaaS A new remote access trojan (RAT), SilabRAT, has surfaced on dark web forums, designed to bypass passwords and multi-factor authentication (MFA) by hijacking active user sessions to drain cryptocurrency. First advertised in late 2025 by a Russian-speaking threat actor known as o1oo1, the malware is offered as a malware-as-a-service (MaaS) for $5,000 per month. Buyers who often distribute it via email spam and ClickFix lures have reported success rates, with over 90% of infected machines remaining online during month-long campaigns. SilabRAT evades detection by disguising itself as HijackLoader, a known packer, rather than its true payload. Its standout features include: - Hidden Virtual Network Computing (HVNC): Operators control infected machines without visible windows or cursor movement, making activity appear as legitimate user sessions. - Browser-Profile Cloning: The malware copies entire browser profiles including extensions, storage, and device fingerprints to an attacker’s system, allowing stolen sessions to persist even after logouts. A Target.dll module ensures the cloned profile loads seamlessly on the victim’s device. The malware’s primary goal is cryptocurrency theft. A background module scans for wallets upon infection, attempting to crack passwords using credentials harvested from the victim’s browser. It bypasses Chrome’s App-Bound Encryption via a COM-elevation technique and includes a clipboard clipper to swap wallet addresses mid-transaction. Additional capabilities include: - Keystroke logging and clipboard monitoring - Remote desktop access via TightVNC - A UAC bypass previously used by LockBit and BlackMatter - Persistence through registry keys or scheduled tasks Group-IB, which analyzed the threat, warns that SilabRAT’s developer plans to expand its reach by injecting code into Electron-based wallet apps, such as Ledger Live and Trezor Suite. While traditional defenses like MFA and patching can help, the malware’s session-hijacking tactics allow it to bypass even secured logins.