{ "type": "URL", "indicator": "https://wrat.in:992/sa1at/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://wrat.in:992/sa1at/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4347302173, "indicator": "https://wrat.in:992/sa1at/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a04873aa32e956eec586c77", "name": "Botnet_C2 | May 14, 2026", "description": "Botnet_C2 indicators. Date: May 14, 2026. Total: 1170 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:14:18.218000", "created": "2026-05-13T14:14:18.218000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 161, "URL": 112, "domain": 134 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0335a9ce1b312bb85367f7", "name": "Botnet_C2 | May 13, 2026", "description": "Botnet_C2 indicators. Date: May 13, 2026. Total: 1052 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-12T14:14:01.762000", "created": "2026-05-12T14:14:01.762000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 102, "domain": 140, "hostname": 165 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01e4064798f56d423e2d96", "name": "Botnet_C2 | May 12, 2026", "description": "Botnet_C2 indicators. Date: May 12, 2026. Total: 945 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-11T14:13:26.060000", "created": "2026-05-11T14:13:26.060000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 96, "domain": 145, "URL": 124 }, "indicator_count": 370, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a00928de04e9ba4cac1d6eb", "name": "Botnet_C2 | May 11, 2026", "description": "Botnet_C2 indicators. Date: May 11, 2026. Total: 861 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-10T14:13:33.465000", "created": "2026-05-10T14:13:33.465000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 133, "hostname": 112, "domain": 125 }, "indicator_count": 375, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ff40f444f57576283e05ff", "name": "Botnet_C2 | May 10, 2026", "description": "Botnet_C2 indicators. Date: May 10, 2026. Total: 850 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-09T14:13:08.467000", "created": "2026-05-09T14:13:08.467000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 130, "hostname": 126, "domain": 107 }, "indicator_count": 368, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fdef814e48bf9214326ebd", "name": "Botnet_C2 | May 9, 2026", "description": "Botnet_C2 indicators. Date: May 9, 2026. Total: 890 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-08T14:13:21.488000", "created": "2026-05-08T14:13:21.488000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 138, "URL": 133, "domain": 103 }, "indicator_count": 379, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fde335e9045f90505c488f", "name": "Salat Stealer Analysis: Go-Based RAT, C2 Resilience, and Info-Stealing Capabilities", "description": "Salat Stealer is a sophisticated Remote Access Trojan (RAT) built using Go, featuring advanced information-stealing capabilities. Unlike conventional stealers, it operates as a comprehensive post-exploitation framework, incorporating a variety of functionalities such as WebSocket and QUIC-based command-and-control (C2) mechanisms, remote shell access, systems for streaming desktop and webcam feeds, keylogging, clipboard data theft, and pivoting through SOCKS5 proxies.", "modified": "2026-05-08T13:20:53.088000", "created": "2026-05-08T13:20:53.088000", "tags": [ "dark atlas", "dark web monitoring", "atlas", "data leak monitoring", "compromised credentials monitoring", "threat intel", "buguard", "stealer malware", "supplychain attacks", "redline", "raccoon", "vidar", "lumma", "ato", "dark net", "json", "parses", "salat stealer", "ton blockchain", "file", "c2 server", "websocket", "http2", "quic", "stealer", "trojan", "discord", "steam", "screen", "capture", "share salat", "remote access", "darkweb investigation", "salat" ], "references": [ "https://darkatlas.io/blog/salat-stealer-analysis-go-based-rat-c2-resilience-and-info-stealing-capabilities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Share Salat", "display_name": "Share Salat", "target": null }, { "id": "Salat", "display_name": "Salat", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 5, "YARA": 1, "domain": 4 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd31f993625e9ab13b9847", "name": "Salat Stealer Go-based RAT with QUIC WebSocket C2, blockchain resilience and data theft", "description": "", "modified": "2026-05-08T00:44:41.167000", "created": "2026-05-08T00:44:41.167000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 82, "domain": 4, "hostname": 3 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc9e061eb54d2816bc3580", "name": "Botnet_C2 | May 8, 2026", "description": "Botnet_C2 indicators. Date: May 8, 2026. Total: 1081 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-07T14:13:26.292000", "created": "2026-05-07T14:13:26.292000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 145, "hostname": 139, "domain": 98 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://ltna.com.au/cyber", "https://darkatlas.io/blog/salat-stealer-analysis-go-based-rat-c2-resilience-and-info-stealing-capabilities" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Share salat", "Salat" ], "industries": [], "unique_indicators": 851 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/wrat.in", "whois": "http://whois.domaintools.com/wrat.in", "domain": "wrat.in", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a04873aa32e956eec586c77", "name": "Botnet_C2 | May 14, 2026", "description": "Botnet_C2 indicators. Date: May 14, 2026. Total: 1170 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:14:18.218000", "created": "2026-05-13T14:14:18.218000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 161, "URL": 112, "domain": 134 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0335a9ce1b312bb85367f7", "name": "Botnet_C2 | May 13, 2026", "description": "Botnet_C2 indicators. Date: May 13, 2026. Total: 1052 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-12T14:14:01.762000", "created": "2026-05-12T14:14:01.762000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 102, "domain": 140, "hostname": 165 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01e4064798f56d423e2d96", "name": "Botnet_C2 | May 12, 2026", "description": "Botnet_C2 indicators. Date: May 12, 2026. Total: 945 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-11T14:13:26.060000", "created": "2026-05-11T14:13:26.060000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 96, "domain": 145, "URL": 124 }, "indicator_count": 370, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a00928de04e9ba4cac1d6eb", "name": "Botnet_C2 | May 11, 2026", "description": "Botnet_C2 indicators. Date: May 11, 2026. Total: 861 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-10T14:13:33.465000", "created": "2026-05-10T14:13:33.465000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 133, "hostname": 112, "domain": 125 }, "indicator_count": 375, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ff40f444f57576283e05ff", "name": "Botnet_C2 | May 10, 2026", "description": "Botnet_C2 indicators. Date: May 10, 2026. Total: 850 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-09T14:13:08.467000", "created": "2026-05-09T14:13:08.467000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 130, "hostname": 126, "domain": 107 }, "indicator_count": 368, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fdef814e48bf9214326ebd", "name": "Botnet_C2 | May 9, 2026", "description": "Botnet_C2 indicators. Date: May 9, 2026. Total: 890 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-08T14:13:21.488000", "created": "2026-05-08T14:13:21.488000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 138, "URL": 133, "domain": 103 }, "indicator_count": 379, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fde335e9045f90505c488f", "name": "Salat Stealer Analysis: Go-Based RAT, C2 Resilience, and Info-Stealing Capabilities", "description": "Salat Stealer is a sophisticated Remote Access Trojan (RAT) built using Go, featuring advanced information-stealing capabilities. Unlike conventional stealers, it operates as a comprehensive post-exploitation framework, incorporating a variety of functionalities such as WebSocket and QUIC-based command-and-control (C2) mechanisms, remote shell access, systems for streaming desktop and webcam feeds, keylogging, clipboard data theft, and pivoting through SOCKS5 proxies.", "modified": "2026-05-08T13:20:53.088000", "created": "2026-05-08T13:20:53.088000", "tags": [ "dark atlas", "dark web monitoring", "atlas", "data leak monitoring", "compromised credentials monitoring", "threat intel", "buguard", "stealer malware", "supplychain attacks", "redline", "raccoon", "vidar", "lumma", "ato", "dark net", "json", "parses", "salat stealer", "ton blockchain", "file", "c2 server", "websocket", "http2", "quic", "stealer", "trojan", "discord", "steam", "screen", "capture", "share salat", "remote access", "darkweb investigation", "salat" ], "references": [ "https://darkatlas.io/blog/salat-stealer-analysis-go-based-rat-c2-resilience-and-info-stealing-capabilities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Share Salat", "display_name": "Share Salat", "target": null }, { "id": "Salat", "display_name": "Salat", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 1, "URL": 5, "YARA": 1, "domain": 4 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fd31f993625e9ab13b9847", "name": "Salat Stealer Go-based RAT with QUIC WebSocket C2, blockchain resilience and data theft", "description": "", "modified": "2026-05-08T00:44:41.167000", "created": "2026-05-08T00:44:41.167000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 82, "domain": 4, "hostname": 3 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fc9e061eb54d2816bc3580", "name": "Botnet_C2 | May 8, 2026", "description": "Botnet_C2 indicators. Date: May 8, 2026. Total: 1081 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-07T14:13:26.292000", "created": "2026-05-07T14:13:26.292000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 145, "hostname": 139, "domain": 98 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://wrat.in:992/sa1at/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://wrat.in:992/sa1at/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180710.7220151 }