Date: 07/07/2026
Severity: Medium
Summary
Salat Stealer is a stealthy, Go-based infostealer designed to compromise systems and extract data. It performs deep reconnaissance, profiling hardware, active processes, and environmental attributes. Moving beyond standard theft, it enables live desktop streaming and webcam/microphone monitoring. The malware also exfiltrates local files, turning infected hosts into real-time surveillance points. It is often distributed via social engineering, bundled with gaming utilities like Xeno Executor. This transforms risky software into severe compromise vectors that steal credentials and wallets.
Indicators of Compromise (IOC) List
Domains/URLs | http:\\xenoexecutor.in |
Hash | 60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271
075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde
7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd
fec793499d9df0458b611a71dda23b41ba1c28038a79924ab606937e26e77115
7018dc48efdf1311d644225e3c9e5f8f6d49863dbaca315f16d25473f127978d
347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http:\\xenoexecutor.in" or url like "http:\\xenoexecutor.in" or siteurl like "http:\\xenoexecutor.in" |
Detection Query 2 : | sha256hash IN ("7018dc48efdf1311d644225e3c9e5f8f6d49863dbaca315f16d25473f127978d","60118ba6124480d1c28b3d30f380aa64030418ba1774e8437f9cfae5ea191271","347e3ef094831fd280628c711804603f695b020e365606174a6ba118ebf56cff","fec793499d9df0458b611a71dda23b41ba1c28038a79924ab606937e26e77115","075b3caa3a754c23f929a1591c6b333c7da1080a5fdf8ea2a3497d1505b60dde","7376aaca33eab974ec527d44753d8016c1d305e2db935189a91a57b0ecbb3ccd")
|
Reference:
https://www.splunk.com/en_us/blog/security/bundled-to-steal-salat-stealer-campaign.html