O1oo1 packages SilabRAT and AsmCrypt as a dark-web MaaS ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
o1oo1 is selling SilabRAT as a $5000/month MaaS and bundling it with AsmCrypt, turning the malware into a packaged criminal service that lowers adoption barriers. The setup shows a monetized ecosystem around session-hijacking and crypto theft, not just a standalone payload. Buyers are meant to launch their own campaigns, which broadens distribution and increases the risk of repeated infections across dark web forums and spam-driven lures.
Related Happenings
SilabRAT session-hijacking crypto-draining malware activity
Malware Activity
H score24
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
How related:
A new remote access trojan sold on dark web forums has been built to drain cryptocurrency, hijacking victims' logged-in sessions to slip past passwords and multi-factor checks.
About this happening:
The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
SilabRAT session-hijacking crypto-draining malware activity
Malware ActivityHow related: A new remote access trojan sold on dark web forums has been built to drain cryptocurrency, hijacking victims' logged-in sessions to slip past passwords and multi-factor checks.
About this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
H score36
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions
Campaign
H score40
First: 02.02.2026 07:04
Last: 02.02.2026 07:04
Sources 1
About this happening:
The **GlassWorm** campaign has evolved into a **multi-stage malware operation** that uses **rogue packages** across **npm, PyPI, GitHub, and Open VSX** to gain an initial foothold...
GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions
CampaignAbout this happening: The **GlassWorm** campaign has evolved into a **multi-stage malware operation** that uses **rogue packages** across **npm, PyPI, GitHub, and Open VSX** to gain an initial foothold...
Timeline
-
10.06.2026 18:30 2 articles · 2h ago
o1oo1 markets SilabRAT and AsmCrypt as a bundled malware service
Initial Disclosureo1oo1 advertises SilabRAT on dark web forums as a $5000/month malware-as-a-service offering and pairs it with the code-obfuscation tool AsmCrypt, discounting buyers who take both. Buyers then run their own campaigns, often using email spam and ClickFix lures, while antivirus tools frequently log the payload as HijackLoader rather than SilabRAT.
Show sources
- New SilabRAT Trojan Hijacks Sessions to Steal Crypto — www.infosecurity-magazine.com — 10.06.2026 18:30
- New SilabRAT Trojan Hijacks Sessions to Steal Crypto — www.infosecurity-magazine.com — 10.06.2026 18:30