SilabRAT, o1oo1, and the malware-as-a-service marketplace
Group-IB's analysis describes SilabRAT as a commercial remote access trojan sold on dark web forums and advertised by a Russian-speaking developer who uses the handle o1oo1. The developer bundles complementary tooling — notably an obfuscation product called AsmCrypt — and offers discounts to buyers who take both. Buyers run campaigns of their own, making SilabRAT a classic malware-as-a-service (MaaS) product: a central developer supplies code and support while separate operators handle delivery and monetization.
Two technical innovations that let attackers "be" the victim
Group-IB highlights two capabilities that distinguish SilabRAT from many commodity RATs. First, it includes a hidden virtual network computing (HVNC) capability that gives an operator remote control without visible windows or cursor movement. That stealth means actions come from the victim's own device and IP address, increasing the chance security tools will treat the activity as a legitimate session.
Second, SilabRAT performs browser-profile cloning rather than merely exfiltrating cookies. Because modern site sessions frequently tie to device fingerprints or extensions, the malware copies the full browser profile — extensions, storage and fingerprinting traits — to the attacker's system so a session can be revived intact. The two features interlock: a bundled DLL named Target.dll hooks low-level file calls so the browser will open the cloned profile, letting the hidden session run on the victim's live data while the real desktop remains untouched.
Built to empty cryptocurrency wallets
Group-IB's report frames cryptocurrency theft as SilabRAT's primary payoff. A continuously running background module hunts for wallet software and attempts to crack wallet passwords using credentials harvested from the victim's browser, working through a built-in list of supported wallets. To reach browser secrets the malware uses a COM-elevation technique that bypasses Chrome's App-Bound Encryption, and it can perform clipboard “clipping” to swap a copied wallet address mid-transaction so funds are sent to the attacker.
Those crypto-focused features sit alongside more familiar RAT capabilities: keystroke logging, clipboard capture, remote desktop access over TightVNC, a user account control bypass (the same bypass used by LockBit and BlackMatter), and persistence via registry keys or scheduled tasks. Group-IB also notes the developer's stated plan to push further into supply-chain-style attacks by injecting code into Electron-based wallet apps such as Ledger Live and Trezor Suite.
Operational deployment, detection, and resilience
Buyers commonly distribute SilabRAT through email spam and so-called ClickFix lures. Operators reported that antivirus tools frequently record the delivery stage as the HijackLoader packer rather than identifying the SilabRAT payload itself. One operator claimed more than 90% of infected machines remained online across a month-long campaign, a metric that underscores both operational persistence and the effectiveness of HVNC/browser-clone techniques in evading simple detection.
What SilabRAT means for security teams, crypto users, and malware buyers
- Security teams and technologists: The HVNC and browser-profile cloning combination reduces the effectiveness of controls that rely solely on credential checks. Defenders will need to track anomalous session fingerprint changes and hunt for the activity of Target.dll and the COM-elevation technique described by Group-IB.
- Crypto users and custodians: Wallet-savvy users are the explicit targets — the malware searches for wallet applications and aims to crack passwords or alter clipboard addresses mid-transaction. Users should assume that a hijacked session can bypass password prompts and that ordinary credential protections may not be sufficient.
- Malware buyers and operators: The MaaS model and the sale of complementary tools such as AsmCrypt lower the bar for technical entry. The presence of a discounted bundle suggests the developer expects coordinated campaigns where operators handle spreading while the developer supplies evasion and payload capabilities.
Defensive steps and a final note
Group-IB urged defenders to enforce multi-factor authentication, keep Chrome patched, and step up phishing and web filtering, while cautioning that a hijacked session can still walk past a password prompt. Those measures are concrete but imperfect: the techniques described — a session running from the victim’s own IP and a full browser-profile clone — are expressly designed to sidestep credentials and many conventional session-controls.
SilabRAT is notable less for inventing a single new capability than for assembling several evasive techniques into a commodified package and marketing it to buyers. The result, according to Group-IB, is a tool aimed squarely at siphoning cryptocurrency while minimizing visible host-side disruption. How defenders adapt to the pairing of hidden VNC and browser cloning — and whether operators successfully move from browser-based theft to direct injection into Electron wallet apps such as Ledger Live and Trezor Suite — will shape the next phase of this campaign.
Read the original Group-IB analysis at Infosecurity Magazine
