EXECUTIVE SUMMARY
The campaign is attributed to the Russian‑speaking developer known as o1oo1, who markets the SilabRAT remote access trojan as a subscription‑based service. Its primary weapon is a modular loader that evades conventional antivirus checks, allowing the payload to reach victims across multiple vectors. Targeted industries include financial services, cryptocurrency exchanges, and any enterprise handling valuable credentials, with campaigns observed in Europe, North America, and Asia. The attacker’s goal centers on harvesting login data, browser sessions, and crypto‑wallet information to generate direct monetary profit rather than causing outright disruption.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to the Russian‑speaking developer known as o1oo1, who markets the SilabRAT remote access trojan as a subscription‑based service. Its primary weapon is a modular loader that evades conventional antivirus checks, allowing the payload to reach victims across multiple vectors. Targeted industries include financial services, cryptocurrency exchanges, and any enterprise handling valuable credentials, with campaigns observed in Europe, North America, and Asia. The attacker’s goal centers on harvesting login data, browser sessions, and crypto‑wallet information to generate direct monetary profit rather than causing outright disruption.[emaillocker id="1283"]
Initial infection typically occurs through phishing emails, malicious ads, or compromised sites that use the ClickFix social‑engineering technique. The loader masquerades as a legitimate installer, then drops the SilabRAT binary which creates persistence via registry entries and scheduled tasks. Once active, the trojan launches a hidden virtual network computing layer that renders the desktop invisible while the operator controls the system remotely. It also clones the browser profile to harvest active session cookies and extracts cryptocurrency wallet files. Control is kept through an operator‑hosted command‑and‑control server that the buyer configures, keeping the infrastructure separate from the developer.
The threat poses a serious risk for enterprises because its invisible remote session bypasses many endpoint alerts and can harvest active credentials that defeat multi‑factor authentication. Detection is hampered by the lack of visible windows and the use of legitimate browser processes, making forensic traces difficult to isolate. Recovery often requires full system rebuilds after the backdoor is removed, increasing downtime and cost. Organizations should enforce regular patching of operating systems and browsers, deploy behavioral endpoint monitoring to spot anomalous remote activity, and segment networks to limit lateral movement. Maintaining offline backups and email web filtering further reduces exposure.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1588.001 | Obtain Capabilities | Malware |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059 | Command and Scripting Interpreter | — |
| Persistence | T1547 | Boot or Logon Autostart Execution | — |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://www.infosecurity-magazine.com/news/silabrat-trojan-session-hijacking/
https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/