SilabRAT Trojan Ransomware: Session Hijacking Enables Cryptocurrency Theft (June 2025)

SilabRAT: What Happened

SilabRAT is a newly identified remote access trojan (RAT) that has been offered as a malware-as-a-service since late 2025. Threat actors have leveraged SilabRAT to hijack victim sessions by cloning browser profiles and employing a hidden remote desktop technique. This approach allows attackers to bypass multi-factor authentication (MFA) protections, granting them persistent, covert access to infected devices. The primary objective observed has been the theft of cryptocurrency, with attackers able to manipulate transactions and exfiltrate wallet credentials from compromised systems.

Attack Vector & Technical Detail

SilabRAT is primarily distributed through global email spam campaigns, targeting a wide range of organizations and individuals. Once executed, the malware establishes a remote connection using a hidden desktop session, which is not visible to the victim. By cloning browser profiles, SilabRAT captures active authentication tokens and session cookies, enabling attackers to impersonate users and bypass MFA. The malware’s tactics align with MITRE ATT&CK techniques TA0001 (Initial Access), TA0003 (Persistence), TA0006 (Credential Access), and TA0007 (Discovery). No specific CVEs or IOCs have been attributed to this campaign in the current reporting, but the use of session hijacking and wallet address replacement during transactions has been confirmed.

Confirmed Impact

The impact of SilabRAT is significant and global in scope. Infected devices are subject to full remote control, allowing attackers to steal cryptocurrency wallets, passwords, and other sensitive data. The malware’s ability to replace wallet addresses during active transactions has resulted in direct financial losses for victims. High infection persistence increases the likelihood of repeated theft and ongoing compromise. While no specific organizations have been named, the campaign’s global reach and financial focus raise concerns regarding regulatory compliance, especially for organizations handling digital assets or subject to anti-money laundering (AML) regulations.

What This Means for Your Organization

SilabRAT’s use of browser profile cloning and hidden remote desktop access highlights the evolving sophistication of ransomware delivery and session hijacking techniques. Organizations must recognize that MFA alone is not sufficient to prevent unauthorized access when session tokens are compromised. Security teams should review endpoint protection capabilities, monitor for anomalous remote desktop activity, and implement behavioral analytics to detect session hijacking. Regular user education on phishing and spam risks remains critical, as email continues to be the primary infection vector for SilabRAT.

Detection & Response

• Immediate: Audit endpoints for unauthorized remote desktop sessions and cloned browser profiles.
• Hunt: Investigate for evidence of hidden desktop activity and anomalous browser session tokens, particularly following email spam campaigns.
• Patch: N/A (no CVE-specific remediation at this time).

Source: https://www.infosecurity-magazine.com/news/silabrat-trojan-session-hijacking/