SilabRAT Trojan Targets Crypto Wallets with Session Hijacking and Browser Cloning
A new Malware-as-a-Service (MaaS) trojan named SilabRAT is being sold on dark web forums, specifically designed to hijack user sessions and steal cryptocurrency by employing advanced techniques like Hidden Virtual Network Computing (HVNC) and browser cloning.
A new remote access trojan, marketed as a Malware-as-a-Service (MaaS) on dark web forums, has emerged with a singular focus: the theft of cryptocurrency. Dubbed SilabRAT, this sophisticated malware, detailed in recent analysis by Group-IB, has been available since late 2025 for a monthly fee of $5000. Its developer, a Russian-speaking actor known only as o1oo1, also offers a complementary code-obfuscation tool called AsmCrypt, incentivizing buyers to purchase both.
SilabRAT is distributed through various means, including email spam and deceptive "ClickFix" lures. Attackers often leverage a packer known as HijackLoader, which frequently causes antivirus tools to misidentify the malware, allowing campaigns to remain undetected. One operator reported that over 90% of infected machines remained online throughout a month-long campaign, highlighting the trojan's persistence and evasion capabilities.
Two key features distinguish SilabRAT from other remote access trojans. The first is its implementation of Hidden Virtual Network Computing (HVNC). This allows an attacker to gain complete control over a victim's machine without any visible signs of activity, such as cursor movement or window changes. Because the malicious actions originate from the victim's own device and IP address, security systems often fail to flag these sessions as suspicious.
The second significant feature is its advanced browser-profile cloning capability. Unlike simpler methods that might only steal cookies, SilabRAT copies the entire browser profile, including extensions, local storage, and device fingerprinting traits, to the attacker's system. This allows the attacker to seamlessly revive and hijack the victim's active sessions, bypassing security measures that tie sessions to specific device fingerprints or IP addresses.
These two functionalities work in tandem. A bundled DLL, named Target.dll, hooks into low-level file operations, enabling the compromised browser to load the cloned profile. This allows the hidden HVNC session to operate using the victim's live data and active sessions while their actual desktop remains untouched and seemingly normal.
The ultimate goal of SilabRAT is to empty cryptocurrency wallets. A dedicated background module continuously scans for cryptocurrency wallets on infected systems. It then attempts to crack wallet passwords using credentials harvested from the victim's browser, leveraging a built-in list of supported wallet applications. To circumvent security measures like Chrome's App-Bound Encryption, SilabRAT employs a COM-elevation technique. Additionally, a clipboard clipper can intercept copied wallet addresses and replace them with the attacker's own address during a transaction.
Beyond its specialized crypto-stealing features, SilabRAT also includes a comprehensive suite of standard remote access trojan functionalities. These include keystroke logging, clipboard capture, remote desktop access via TightVNC, and persistence mechanisms utilizing registry keys or scheduled tasks. Notably, it also incorporates a user account control (UAC) bypass technique that has been observed in other notorious malware like LockBit and BlackMatter.
Group-IB anticipates that SilabRAT's developers will further enhance its crypto-focused capabilities. There are stated plans to inject code directly into Electron-based wallet applications such as Ledger Live and Trezor Suite. To mitigate the threat posed by SilabRAT, security experts recommend enforcing multi-factor authentication (MFA), keeping browsers like Chrome updated, and strengthening phishing and web filtering defenses, while acknowledging that even these measures may not prevent a sophisticated session hijacking attack.