Sality is a long-running Windows malware family first discovered in 2003 and widely recognized as a polymorphic file infector and botnet/downloader platform. It infects Microsoft Windows system files, especially .EXE and .SCR executables, and spreads by infecting local files, replicating across network shares, and in some variants copying infected files to removable drives together with autorun.inf or related launcher files. Infected hosts join a decentralized peer-to-peer network over custom UDP-based communications, allowing bots to exchange signed URL lists and retrieve additional malware; later botnet versions also used attacker digital signatures to resist hostile takeover. Reported follow-on payloads distributed through Sality included spam relays, HTTP proxies, information stealers, website infectors, credential theft components, and distributed cracking tools.
The family evolved from earlier information-stealing variants into a more full-featured threat with process injection, in-memory loading, downloader functionality, anti-security behavior, and rootkit capabilities. Reported behaviors include injecting code into running processes, creating mutexes to avoid duplicate infection, dropping DLL components such as %SYSTEM%\wmdrtc32.dll and compressed copies such as %SYSTEM%\wmdrtc32.dl_, and in some variants dropping a randomly named driver into %SYSTEM%\drivers and creating the service/rootkit device amsint32. Sality variants have been reported to terminate antivirus and security processes and services, block access to security vendor resources, weaken host defenses through registry modification, delete SafeBoot registry data to prevent Safe Mode booting, hide files, steal cached passwords and keystrokes, and exfiltrate sensitive data. Symantec reported a mutex named uxJLpe1m as a strong indicator of infection.
Sality has been described as highly resilient because it combines file infection with a decentralized P2P botnet architecture. The malware has been associated with botnet activity used to relay spam, proxy communications, exfiltrate data, compromise web servers, and coordinate distributed computing tasks such as password cracking. Symantec reported hundreds of thousands of infected machines in 2011, with active botnet versions 3 and 4, and the content states heavily affected countries included India, Vietnam, and Morocco. The malware has also been referenced in later telemetry as a persistent commodity threat and as resurging in 2025 command-and-control detections.
Observed indicators and artifacts mentioned in the content include the mutex uxJLpe1m; DLL paths such as %SYSTEM%\wmdrtc32.dll and %SYSTEM%\wmdrtc32.dl_; the rootkit/service name amsint32; and, in one 2019 contamination case involving Pinebook Pro boot partitions, files augjb.pif, kithj.pif, and autorun.inf with SHA256 hashes 6245eb607e53209126191e4b6cdf7d64f52394f6bc6a2a9529a28ed49be19c82, 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4, and f5adcd0989f9c4033fcd214e8998dde85865c6bf178c4eaed94128e6f5389bd6 respectively; associated URLs hxxp://padrup[.]com[.]ds/sobaka1[.]gif and hxxp://paaaaad[.]fd[.]fd; and UDP contacts including 118.136.16.138:5614, 180.247.53.107:7866, 86.107.231.10:7534, 93.114.69.232:5684, 220.247.166.100:4492, 202.177.246.59:6715, 189.122.188.39:7538, 89.38.237.65:5064, 188.215.25.69:6310, 14.96.75.194:6130, 212.76.78.10:6260, 14.98.120.25:6740, 112.204.145.248:5300, and 200.8.145.17:6780.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“...the cracking software drops malware on the host machine in order to join it to the Sality botnet.” | CVE-2022-2003 Dragos researchers shared a great writeup on finding CVE-2022-2003 in the wild... exploiting CVE-2022-2003... the cracking software drops malware... to join it to the Sality botnet.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Root folders of drives other than the Windows partition are infected: Sality will drop an infected copy of the Windows Calculator or the Minesweeper game, and will also create or modify the autorun.inf in order to try to run this file automatically when the drive is mounted. In practice, USB flash drives and external hard-drives can be infected.
First, in order to prevent Safeboot mode, Sality deletes registry subkeys and values located in HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot and HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot.
A service is created to start it on-demand. The service name seems steady across variants, “amsint32”.
The virus also targets applications that run at each Windows start and frequently used applications, referenced by the following registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sality injects all running processes with a copy of its code, except for those belonging to the “system”, “local service” and “network service” accounts. If the process is privileged, Sality will try to grant itself Debug privileges, and try to inject it once more.
A service is created to start it on-demand. The service name seems steady across variants, “amsint32”.
The virus also targets applications that run at each Windows start and frequently used applications, referenced by the following registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sality also drops a kernel driver responsible for several tasks. This driver is dropped under a pseudo-random name in the %System%\drivers folder. A service is created to start it on-demand.
Sality employs polymorphic and entry-point obscuring (EPO) techniques to infect files... The code at the entry-point is changed, and replaced by a variable stub, generated by Sality polymorphic code generator... The initial code of this body is also polymorphic and contains junk instructions to thwart emulation strategies used by anti-virus.
Sality is a family of polymorphic file infectors, which target Windows executable files with the extensions .EXE or .SCR.
Sality injects all running processes with a copy of its code, except for those belonging to the “system”, “local service” and “network service” accounts. If the process is privileged, Sality will try to grant itself Debug privileges, and try to inject it once more.
Sality may execute a malicious payload that deletes files with certain extensions and/or beginning with specific strings.
If a file targeted for infection belongs to a security software application... Sality will instead attempt to damage the file... If this fails, then Sality will simply attempt to delete the file. The recursive directory infection routine also searches and deletes files having a “.vdb” or “.avc” extension...
Several areas are candidates for infection: Files referenced under the HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache registry key are infected... All files on all mapped drives, from B: to Z:, are enumerated... Finally, network resources are enumerated and all executable files found are candidates for infection.
Some Sality variants can infect legitimate files, which are then moved to available removable drives and network shares by enumerating all network share folders and resources of the local computer
Root folders of drives other than the Windows partition are infected: Sality will drop an infected copy of the Windows Calculator or the Minesweeper game, and will also create or modify the autorun.inf in order to try to run this file automatically when the drive is mounted. In practice, USB flash drives and external hard-drives can be infected.
The stolen data was then emailed to the attacker, using various SMTP servers located in Russia.
It contacts a HTTP server... which returns an encoded list of malware to be executed.
Typically, those additional programs will be used to relay spam, proxy communications... HTTP proxies to relay traffic. They can be used to mask shady operations and achieve anonymity.
Executable files infected by Sality join a peer-to-peer network composed of other compromised computers. The network is decentralized: there is no central authority and peers are theoretically equipotent.
In distributed reflective denial-of-service (DRDoS) attacks, adversaries send requests to public servers (e.g., open recursive DNS resolvers) and spoof the IP address of a victim. These servers, in turn, flood the victim with valid responses and – unknowingly – exhaust its bandwidth.
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A long-standing malware family known for its botnet capabilities and ability to spread via infected files and removable drives.
Botnet referenced as the secondary malware outcome of a PLC password-cracking tool, used to enroll infected hosts into the Sality botnet.
Sality is described as malware found on the Pinebook Pro boot partition, likely introduced because one or more factory flashing stations in China were infected. It could potentially infect Windows machines that mount the eMMC storage, and the analyzed samples showed process injection into multiple Windows system processes and outbound UDP communications to numerous hosts.
Referenced as malware using a custom peer-to-peer command-and-control protocol.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.