A new remote access trojan sold on dark web forums has been built to drain cryptocurrency, hijacking victims’ logged-in sessions to slip past passwords and multi-factor checks.
Dubbed SilabRAT, the malware has been detailed in new analysis from Group-IB, which found it advertised since late 2025 as a malware-as-a-service (MaaS) offering at $5000 a month.
Its developer, a Russian-speaking actor known as o1oo1, also sells a code-obfuscation tool called AsmCrypt and discounts buyers who take both.
Buyers run their own campaigns, often spreading SilabRAT through email spam and ClickFix lures, and antivirus tools frequently log it as the HijackLoader packer rather than the payload. One operator claimed more than 90% of infected machines stayed online across a month-long campaign.
Read more on session-stealing malware: New ‘Storm’ Infostealer Remotely Decrypts Stolen Credentials
Hidden Control and Cloned Browsers
Two features set SilabRAT apart. The first, a hidden virtual network computing (HVNC) solution, allows an operator to control a machine with no visible windows or cursor movement. Because the activity comes from the victim’s own device and IP address, security tools often treat it as a legitimate session.
The second, browser-profile cloning, goes beyond stealing cookies. Modern sites tie sessions to a device fingerprint or IP, so SilabRAT copies the entire browser profile, including extensions, storage and fingerprinting traits, to the attacker’s system to revive the session intact.
The two interlock: a bundled DLL, Target.dll, hooks low-level file calls so the browser opens the cloned profile, letting the hidden session run on the victim’s live data while the real desktop stays untouched.
Built to Empty Crypto Wallets
The payoff is cryptocurrency. A background module runs continuously, hunting for wallets on new infections and trying to crack their passwords with credentials lifted from the victim’s browser, working through a built-in list of supported wallets.
To reach those browser secrets, SilabRAT bypasses Chrome’s App-Bound Encryption with a COM-elevation technique, while a clipboard clipper can swap a copied wallet address for the attacker’s mid-transaction.
It pairs those with the usual commodity-RAT toolkit:
-
Keystroke logging and clipboard capture
-
Remote desktop access over TightVNC
-
A user account control bypass also used by LockBit and BlackMatter
-
Persistence via registry keys or scheduled tasks
Group-IB expects the crypto focus to deepen, pointing to the developer’s stated plan to inject code into Electron-based wallet apps such as Ledger Live and Trezor Suite.
To blunt the threat, the company urged defenders to enforce multi-factor authentication (MFA), keep Chrome patched and step up phishing and web filtering, while cautioning that a hijacked session can still walk past a password prompt.
