SilabRAT session-hijacking crypto-draining malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The SilabRAT MaaS operation is now offering a session-hijacking remote access trojan that can drain cryptocurrency and bypass password and MFA checks, expanding the risk from stolen logins to direct wallet theft. It uses HVNC and browser-profile cloning so attackers can revive a victim's live session on another machine. Operators are spreading it with email spam and ClickFix lures. The toolkit also includes keylogging, clipboard capture, and TightVNC, making the malware useful for both account abuse and wallet draining.
Related Happenings
O1oo1 packages SilabRAT and AsmCrypt as a dark-web MaaS ecosystem
Threat Actor Meta
H score31
First: 10.06.2026 18:30
Last: 10.06.2026 18:30
Sources 1
How related:
Its developer, a Russian-speaking actor known as o1oo1, also sells a code-obfuscation tool called AsmCrypt and discounts buyers who take both.
About this happening:
**o1oo1** is selling **SilabRAT** as a **$5000/month MaaS** and bundling it with **AsmCrypt**, turning the malware into a packaged criminal service that lowers adoption barriers....
O1oo1 packages SilabRAT and AsmCrypt as a dark-web MaaS ecosystem
Threat Actor MetaHow related: Its developer, a Russian-speaking actor known as o1oo1, also sells a code-obfuscation tool called AsmCrypt and discounts buyers who take both.
About this happening: **o1oo1** is selling **SilabRAT** as a **$5000/month MaaS** and bundling it with **AsmCrypt**, turning the malware into a packaged criminal service that lowers adoption barriers....
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware Activity
H score28
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
About this happening:
The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
PamDOORa Linux backdoor with persistent SSH access and credential theft
Malware ActivityAbout this happening: The **PamDOORa** backdoor has been disclosed as a **PAM-based Linux implant** that can create **persistent SSH access** and steal credentials, raising post-compromise risk on **Li...
GlassWorm multi-stage data-theft malware evolution
Malware Activity
H score22
First: 25.03.2026 16:26
Last: 25.03.2026 16:26
Sources 1
About this happening:
The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm multi-stage data-theft malware evolution
Malware ActivityAbout this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware Activity
H score21
First: 13.03.2026 15:23
Last: 13.03.2026 15:23
Sources 1
About this happening:
A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware ActivityAbout this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions
Campaign
H score40
First: 02.02.2026 07:04
Last: 02.02.2026 07:04
Sources 1
About this happening:
The **GlassWorm** campaign has evolved into a **multi-stage malware operation** that uses **rogue packages** across **npm, PyPI, GitHub, and Open VSX** to gain an initial foothold...
GlassWorm campaign uses compromised Open VSX developer access to spread malicious extensions
CampaignAbout this happening: The **GlassWorm** campaign has evolved into a **multi-stage malware operation** that uses **rogue packages** across **npm, PyPI, GitHub, and Open VSX** to gain an initial foothold...
Timeline
-
10.06.2026 18:30 2 articles · 2h ago
Group-IB details SilabRAT session-hijacking crypto theft
Initial DisclosureGroup-IB detailed SilabRAT, a remote access trojan sold on dark web forums since late 2025 as a $5000/month malware-as-a-service offering by the Russian-speaking actor o1oo1, describing how it hijacks victims' logged-in browser sessions to bypass passwords and MFA while draining cryptocurrency. The malware combines HVNC, browser-profile cloning, a Target.dll file-call hook, COM-elevation to bypass Chrome's App-Bound Encryption, clipboard clipping, keylogging, TightVNC access, persistence via registry keys or scheduled tasks, and distribution through email spam and ClickFix lures; antivirus tools often label it as HijackLoader, and one operator claimed more than 90% of infected machines stayed online across a month-long campaign.
Show sources
- New SilabRAT Trojan Hijacks Sessions to Steal Crypto — www.infosecurity-magazine.com — 10.06.2026 18:30
- New SilabRAT Trojan Hijacks Sessions to Steal Crypto — www.infosecurity-magazine.com — 10.06.2026 18:30