{
	"id": "bbb3a0fc-1f10-4a2a-be49-4185794c197a",
	"created_at": "2026-04-10T03:21:12.10999Z",
	"updated_at": "2026-04-10T13:13:10.304881Z",
	"deleted_at": null,
	"sha1_hash": "aaef72c2504b23c811f68b9e0f13371bc4fc24c3",
	"title": "Saefko: A new Multi-layered RAT | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192251,
	"plain_text": "Saefko: A new Multi-layered RAT | Zscaler Blog\r\nBy Rajdeepsinh Dodia, Priyanka Bhati\r\nPublished: 2019-08-08 · Archived: 2026-04-10 02:48:23 UTC\r\nRecently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web.\r\nThe RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis\r\nof this piece of malware, including its HTTP, IRC, and data stealing and spreading module.\r\n \r\nBackground\r\nA RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer.\r\nRATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a\r\ngame that has been infected. Because a RAT enables administrative control, the intruder can do just about anything\r\non the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential\r\ninformation, activating the system's webcam, taking screenshots, formatting drives, and more.\r\nUpon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It\r\nfetches the chrome browser history looking for specific types of activities, such as those involving credit cards,\r\nbusiness, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its\r\ncommand-and-control (C\u0026C) server and requests for further instructions. The C\u0026C instructs the malware to\r\nprovide system information and the RAT will begin to collect a range of data including screenshot,videos,\r\nkeystroke logs and more. The C\u0026C can also instruct the malware to download additional payload onto the infected\r\nsystem.\r\nRATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread\r\nto other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud\r\nSandbox to determine its functionality, communications, and the potential threat.\r\n \r\nTechnical Analysis of the Saefko RAT\r\nSaefko malware unpacks itself and places the saefkoagent.exe file in “/%AppData%/Roaming/SaefkoAgent.exe”\r\nand executes it. It also copies itself to “/%AppData%/Roaming/windows.exe” and\r\n\"/%AppData%/Local/explorer.exe” and executes them.\r\nAutostart Key\r\nThe Saefko malware creates a startup key to execute the malware at every login. If it is executing from an admin\r\naccount, it creates the following registry key:\r\n“HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\explorer”\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 1 of 16\n\nOtherwise, it creates a registry key in the following path:\r\n“HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\explorer”\r\nFunctionality\r\nSaefko first checks to see whether the internet connection is active by connecting to\r\n“clients3.google.com/generate_204”. It then uses a unique technique to identify if the infected system contains any\r\nvital information. It fetches the browser history and searches for particular websites that have been visited by the\r\nuser and makes a count based on the categories mentioned below. From the counts, the attacker can determine\r\nwhich systems it should target first from all the infected systems.\r\nThe list of different categories it searches include:\r\nCredit card possibility\r\npaypal.com 2c2p adyen.com volusion.com\r\npay.amazon.com apple.com/apple-pay/ atos.net authorize.net\r\nBIPS bitpay.com bpay.com braintreepayments.com\r\ncentup.org cm.com creditcall.com cybersource.com\r\nmastercard.com digi.cash digitalriver.com dwolla.com\r\nelavon.com euronetworldwide.com eway.io firstdata.com\r\nfortumo.com pay.google.com/send/home heartlandpaymentsystems.com ingenico.com\r\nippayments.com klarna.com emergentpayments.ne moduslink.com\r\nmpay.com neteller.com ofx.com pagseguro\r\npayoneer.com paymentwall.com paypoint.co paysbuy.com\r\npaysafe.com paytm.com payzone.co.uk crunchbase.com\r\nqiwi.com globalpaymentsinc.com reddotpayment.com sagellc.com\r\nskrill.com stripe.com squareup.com tencent.com\r\ntransfermate.com transferwise.com wmtransfer.com trustly.com\r\nwepay.com verifone.com xendpay.com pay.weixin.qq.com\r\nmoney.yandex.ru wirecard.com truemoney.com xsolla.com\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 2 of 16\n\nmyshopify.com/admin payza.com 2checkout.com 3dcart.com\r\npaysafecard.com weebly.com    \r\nGaming activity value\r\norigin.com steampowered.com g2a.com twitch.tv\r\nnichegamer.com techraptor.net gematsu.com estructoid.com\r\npcgamer.com gamefaqs.gamespot.com gamespot.com siliconera.com\r\nrockpapershotgun.com gameinformer.com decluttr.com glyde.com\r\ngamestop.com microsoft.com/account/xboxlive\r\nplaystation.com/en-us/network/store\r\nnintendo.com/games\r\ngog.com game.co.uk itch.io gamefly.com\r\ngreenmangaming.com gaming.youtube.com    \r\nCryptocurrency value\r\netoro.com 24option.com puatrack.com/coinbull2/ luno.com\r\npaxforex.com binance.com coinbase.com cex.io\r\nchangelly.com coinmama.com xtrade.ae capital.com\r\npaxful.com kraken.com poloniex.com gemini.com\r\nbithumb.com xcoins.io cobinhood.com coincheck.com\r\ncoinexchange.io shapeshift.io bitso.com indacoin.com\r\ncityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz\r\npro.coinbase.com kucoin.com bitpanda.com foxbit.com.br\r\nbitflyer.com bitfinex.com bit-z.com quadrigacx.com\r\nquadrigacx.com big.one lakebtc.com wex.nz\r\nkuna.io yobit.io zebpay.com hitbtc.com\r\nbx.in.th trezor.io electrum.org blockchain.com\r\ncrypto.robinhood.com exodus.io mycelium.com bitcointalk.org\r\nbtc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 3 of 16\n\ncoindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/\r\nbitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com\r\nbitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com\r\nnews.bitcoin.com blog.bitfinex.com blog.genesis-mining.com  \r\nInstagram activity\r\ninstagram.com m.instagram.com\r\nFacebook activity\r\nfacebook.com m.facebook.com\r\nYoutube activity\r\nyoutube.com m.youtube.com\r\nGoogle+ activity\r\nplus.google.com m.plus.google.com\r\nGmail activity\r\ngmail.com mail.google.com\r\nShopping activity\r\nboohoo.com gymshark.com mail.google.com prettylittlething.com\r\nshowpo.com athleta.com ae.com ruelala.com\r\nasos.com superdry.com zaful.com zafulswimwear.com\r\nluckybrand.com forever21.com urbanoutfitters.com nastygal.com\r\njcrew.com anthropologie.com allsaints.com uniqlo.com\r\narmaniexchange.com fashionnova.com saksoff5th.com target.com\r\nmacys.com barneys.com zappos.com sneakersnstuff.com\r\nyoox.com nike.com simmi.com amazon.com\r\nebay.com walmart.com newegg.com bestbuy.com\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 4 of 16\n\nftd.com 1800flowers.com glossier.com sephora.com\r\nthebodyshop.com ulta.com horchow.com homedepot.com\r\npier1.com bedbathandbeyond.com wayfair.com shoptiques.com\r\nviator.com etsy.com cloud9living.com seatgeek.com\r\naliexpress.com alibaba.com    \r\nBusiness value\r\nlinkedin.com twitter.com nasdaq.com ft.com\r\nreuters.com nyse.com tsx.com marketwatch.com\r\nthestreet.com wsj.com investing.com investopedia.com\r\nfinance.yahoo.com seekingalpha.com fool.com investorguide.com\r\nzacks.com home.saxo forexbrokers.com swissquote.com\r\ncmcmarkets.com fxpro.co.uk forex.com dukascopy.com\r\ninteractivebrokers.com tdameritrade.com bankofinternet.com ally.com\r\nbankpurely.com redneck.bank    \r\nSaefko also collects additional user application data, including:\r\nCommand Description\r\nirc_channel IRC channel name\r\nirc_nickname Nickname\r\nirc_password IRC channel Password\r\nirc_port IRC Port for communication to a server\r\nirc_server Server name\r\nmachine_active_time System uptime\r\nmachine_artct Machine Architecture\r\nmachine_bitcoin_value Number of cryptocurrency sites visited by the user\r\nmachine_business_value Number of business sites visited by the user\r\nmachine_calls_activity 0\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 5 of 16\n\nmachine_camera_activity No. of “.png” files present on the desktop\r\nmachine_country_iso_code Country code fetch from “ipinfo.io/geo”\r\nmachine_lat latitude\r\nmachine_lng longitude\r\nmachine_creadit_card_posiblty Checks the number of payment sites visited by the user\r\nmachine_current_time Taking machine current time\r\nmachine_facebook_activity Checks the number of times the user visited facebook\r\nmachine_gaming_value Checks the number of times the user visited gaming websites\r\nmachine_gmail_avtivity Checks the number of times the user visited gmail\r\nmachine_googleplus_activity Checks the number of times the user visited google+\r\nmachine_instgram_activty Checks the number of times the user visited Instagram\r\nmachine_ip Machine IP\r\nmachine_lat The geographic location of the system (latitude)\r\nmachine_lng The geographic location of the system (longitude)\r\nmachine_os_type 1\r\nmachine_screenshot Captures screenshot and encode it in base 64\r\nmachine_shooping_activity Checks number of times shopping sites visit by the user\r\nThe RAT sends the collected data to a command and control server as shown below:\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 6 of 16\n\nAfter getting an \"ok\" response from the server, Saefko begins the \"StartServices\" function, which has four different\r\ninfection modules:\r\nHTTPClinet\r\nIRCHelper\r\nKEYLogger\r\nStartLocalServices (USB spreading)\r\nHTTP Clinet\r\n(Possible misspelling of HTTP Client by the author)\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 7 of 16\n\nThe RAT sends a request to the server, requesting for a new task. It sends a command “UpdateAndGetTask” and\r\nalso sends other information, including machine_ID, machine_os, and privateip, as shown below:\r\nThe task is the URL from which the malware downloaded the new payload and executed it on the infected\r\nmachine.\r\nKey Logger\r\nThe malware uses the SetWindowsHookEx API for capturing keystrokes. It stores the captured keystrokes into a\r\n“log.txt” file. The filepath is: “\\%AppData%\\Local\\log.txt.”\r\nIRC Helper\r\nFirst, the malware disconnects the current IRC connection. Then, it sends status information to the C\u0026C as shown\r\nbelow:\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 8 of 16\n\npass: password\r\ncommand: UpdateHTTPIRCStatus\r\nmachine_id: unique id sent by C\u0026C in an earlier request\r\nirc_status: 1 \r\nNext malware fetch \r\nServerlist: it selects a server from the list below.\r\nPort: port \r\nNickname: generates a random 7 character name \r\nList of IRC servers and ports\r\nIRC server Port IRC server Port\r\nirc.afterx.net 6667 irc.cyanide-x.net 6667\r\nchat.freenode.net 6667 irc.europnet.org 6667\r\nirc.azzurra.org 6669 irc.rizon.net 6669\r\nirc.dal.net 6667 irc.efnet.org 6667\r\nirc.gamesurge.net 6667 open.ircnet.net 6669\r\nirc.quakenet.org 6667 irc.swiftirc.net 6667\r\neu.undernet.org 6667 irc.webchat.org 7000\r\nirc.2600.net 6667 irc.abjects.net 6669\r\nirc.accessirc.net 6667 irc.afternet.org 6667\r\nirc.data.lt 6667 irc.allnetwork.org 6667\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 9 of 16\n\nirc.alphachat.net 6667 irc.austnet.org 6667\r\nirc.axenet.org 6667 irc.ayochat.or.id 6667\r\nirc.beyondirc.net 6669 irc.blitzed.org 6667\r\nirc.bongster.org 6669 irc.caelestia.net 6667\r\nirc.canternet.org 6667 irc.chatall.org 6669\r\nirc.chatcafe.net 6667 irc.chatspike.net 6667\r\nirc.chatzona.org 6667 irc.criten.net 6667\r\nirc.cyberarmy.net 6667 irc.d-t-net.de 6667\r\nirc.darkmyst.org 6667 irc.deepspace.org 6667\r\nirc.dream-irc.de 6667 irc.drlnet.com 6667\r\nirc.dynastynet.net 6667 irc.echo.com 6667\r\nirc.ecnet.org 6667 irc.enterthegame.com 6667\r\nirc.epiknet.org 6667 irc.esper.net 6667\r\nirc.euirc.net 6669 irc.evolu.net 6667\r\nirc.explosionirc.net 6667 irc.fdfnet.net 6668\r\nirc.fef.net 6667    \r\nSaefko connects to one of these servers and waits for a response. In the response, it checks for “T_T” string and\r\nany separate messages using that string. Below is the list of IRC functions that the RAT can perform. According to\r\nthe command it receives, Saefko will respond with corresponding data.\r\nList of IRC Commands\r\nIRC\r\nCommand\r\nDescription\r\ndexe Download a file from a given URL and execute it\r\nhdexe Download a file from a given URL and execute it (UseShellExecute=false)\r\nvistpage Open URL\r\nhvistpage Open URL (UseShellExecute = false)\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 10 of 16\n\nsnapshot\r\nCaptures video frame, converts into Base64 and sends to C\u0026C (Detailed information\r\nexplained below); also replies “.oksnapshot”\r\nshell Executes command using cmd.exe\r\ntcp Makes a tcp connection using a given IP and port.\r\nidentify\r\nSend system information:\r\nOS type: Microsoft windows\r\nOS version: OS version\r\nOS Username: username\r\nOS MachineName: System name\r\nOS SystemDirectory: System Directory\r\nopencd Open CDROM drive. Command: set CDAudio door open\r\nclosecd Close CDROM drive. Command: set CDAudio door closed\r\nscreenshot Capture screenshot, encode it into Base64 and send to C\u0026C\r\nping Reply “okping”\r\ncamlist\r\nGets the video devices from the system and sends information to the C\u0026C.Detailed\r\ninformation explained below.\r\npwd Current directory\r\nlocation\r\nGets the system location using “https://ipinfo.io/geo”\r\nIP, city, region, country, latitude and longitude\r\nkeylogs Encode the keylog file (log.txt) using base64 and send it to C\u0026C\r\nuninstall Delete the autostart registry key (RUN) and terminate itself.\r\nCamlist\r\nSaefko also searches for the following payloads in the system:\r\nAForge.dll\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 11 of 16\n\nAForge.Video.DirectShow.dll\r\nAForge.Video.dll\r\nSqlite3.dll\r\nIf these files are not present, the malware sends a request to the C\u0026C to download these files. Next, it searches for\r\na list of video input devices on the targeted system and sends the related information to the C\u0026C.\r\nSnapshot\r\nSaefko also captures videos from the device present on the system, encodes the video frame with Base64 and sends\r\nit to the C\u0026C.\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 12 of 16\n\nStart USB Service\r\nSaefko checks to see if the drive type is either removable or networked, after which it starts the infection and\r\ncopies the files below onto a removable drive.\r\nSas.exe\r\nUSBStart.exe\r\nusbspread.vbs\r\nSas.exe is a copy of the malware itself. USBStart.exe is fetched from the resource section of the main binary. It\r\ncontains code to execute Sas.exe. It creates a usbspread.vbs file then executes it. It searches every directory and all\r\nthe files and creates a \"lnk\" file for each file and directory with a target path USBStart.exe file. When the\r\nremovable device is plugged in any other system, the user is tricked into clicking a lnk file as the main files and\r\nfolder are hidden. Lnk file executes the USBStart.exe that ends up executing Sas.exe which is the main payload. So\r\nit futher infect other Systems.\r\nBelow is the code of the usbspread.vbs file:\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 13 of 16\n\nOne online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating\r\nsystem remote administration tool that can be used to launch the malware on Windows and Android devices.\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 14 of 16\n\nConclusion\r\nTo protect systems from RATs, users must refrain from downloading programs or opening attachments that aren't\r\nfrom a trusted source. At the administrative level, it's always a good idea to block unused ports, turn off unused\r\nservices, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much\r\nactivity at once, which would slow down the system and possibly attract the attention of the user and IT.\r\nZscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected.\r\n \r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 15 of 16\n\nIOCs\r\nMd5:\r\nD9B0ECCCA3AF50E9309489848EB59924\r\nC4825334DA8AA7EA9E81B6CE18F9C15F\r\n952572F16A955745A50AAF703C30437C\r\n4F2607FAEC3CB30DC8C476C7029F9046\r\n7CCCB06681E7D62B2315761DBE3C81F9\r\n5B516EAB606DC3CC35B0494643129058\r\nDownloader URL:\r\nindustry.aeconex[.]com/receipt-inv.zip\r\n3.121.182[.]157/dwd/explorer.exe\r\n3.121.182[.]157/dwd/vmp.exe\r\ndeqwrqwer.kl[.]com.ua/ex/explorer.exe\r\nmaprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip\r\nNetwork URL:\r\nacpananma[.]com/love/server.php\r\n3.121.182[.]157/smth/server.php\r\nf0278951.xsph[.]ru/server.php\r\nmaprivate[.]date/server.php\r\nSource: https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nhttps://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat\r\nPage 16 of 16\n\nirc.quakenet.org eu.undernet.org 6667 6667 irc.swiftirc.net irc.webchat.org 6667 7000\nirc.2600.net 6667 irc.abjects.net 6669\nirc.accessirc.net 6667 irc.afternet.org 6667\nirc.data.lt 6667 irc.allnetwork.org 6667\n  Page 9 of 16 \n\n  https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat    \nOne online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating\nsystem remote administration tool that can be used to launch the malware on Windows and Android devices.\n   Page 14 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat"
	],
	"report_names": [
		"saefko-new-multi-layered-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775791272,
	"ts_updated_at": 1775826790,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aaef72c2504b23c811f68b9e0f13371bc4fc24c3.pdf",
		"text": "https://archive.orkl.eu/aaef72c2504b23c811f68b9e0f13371bc4fc24c3.txt",
		"img": "https://archive.orkl.eu/aaef72c2504b23c811f68b9e0f13371bc4fc24c3.jpg"
	}
}