Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Steaelite RAT

Steaelite RAT is a remote access trojan assessed with high confidence from reporting on an active command-and-control server at 91.92.240.197. Reported capabilities include browser credential, cookie, and session token theft on initial connect, as well as credential theft, remote code execution, file management, keylogging, webcam and microphone access, ransomware deployment, and hidden RDP access. Public reporting also describes it as enabling double-extortion attacks from a single panel by combining data theft and ransomware management functionality.

The reported infection chain used a trojanized Microsoft Remote Desktop Connection Manager installer, RDCMan.msi, to deploy a malicious .NET payload. The SHA-256 of the trojanized installer was reported as c32932c7d7f18719a762cca23ba3ab6747c1953256084b24084a683382adac4a. After execution, the malware reportedly checked in to the C2 via POST /logs/sendInfo and then polled POST /ping for commands using HTTP long-polling. Additional payload delivery endpoints observed on the server included /download/{type} and /obfEncDownload/{id}. The hwid field was reported to function as the agent identifier. The operator panel exposed /Account/Login and /agents.

The identified C2 infrastructure was described as a Windows-hosted ASP.NET Core application on Kestrel, exposing ports 443 and 5000 for HTTPS, plus 5357, 5985, and 9000. The server leaked the internal namespace PingServer.Models.SendInfoData through validation errors, and the internal project name was reported as PingServer. The host presented a self-signed TLS certificate with subject CN=localhost, serial 4804878F208E383E, valid from 2026-01-07 to 2027-01-07. The infrastructure was hosted by Omegatech LTD under AS202412 and placed in Frankfurt am Main, Germany in the reporting. As of 2026-03-03, the server was reported operational and accepting unauthenticated agent registrations.

Observed indicators directly mentioned in the content include IP address 91.92.240.197; URI paths /logs/sendInfo, /ping, /download/{type}, /obfEncDownload/{id}, /Account/Login, and /agents; the internal name PingServer; and the trojanized RDCMan.msi sample hash c32932c7d7f18719a762cca23ba3ab6747c1953256084b24084a683382adac4a. No specific threat actor attribution was provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1189Drive-by CompromiseEvidence1

MITRE ATT&CK Mapping ... Initial Access Phishing / Drive-by T1566 / T1189 Trojanized RDCMan.msi distribution

T1566PhishingEvidence1

MITRE ATT&CK Mapping ... Initial Access Phishing / Drive-by T1566 / T1189 Trojanized RDCMan.msi distribution

Execution

1 technique
T1204.002Malicious FileEvidence1

MITRE ATT&CK Mapping ... Execution User Execution: Malicious File T1204.002 MSI installer execution

Persistence

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

MITRE ATT&CK Mapping ... Persistence Boot or Logon Autostart Execution T1547 Probable (Steaelite feature)

Privilege Escalation

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

MITRE ATT&CK Mapping ... Persistence Boot or Logon Autostart Execution T1547 Probable (Steaelite feature)

Stealth

1 technique
T1027Obfuscated Files or InformationEvidence1

MITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files or Information T1027 /obfEncDownload/ encrypted payloads

Defense Impairment

1 technique
T1553Subvert Trust ControlsEvidence1

MITRE ATT&CK Mapping ... Defense Evasion Subvert Trust Controls T1553 Trojanized legitimate Microsoft tool

Credential Access

2 techniques
T1539Steal Web Session CookieEvidence1

MITRE ATT&CK Mapping ... Credential Access Steal Web Session Cookie T1539 Browser cookie extraction

T1555.003Credentials from Web BrowsersEvidence1

MITRE ATT&CK Mapping ... Credential Access Credentials from Web Browsers T1555.003 Steaelite auto-harvest on connect

Discovery

2 techniques
T1033System Owner/User DiscoveryEvidence1

MITRE ATT&CK Mapping ... Discovery System Owner/User Discovery T1033 Username exfiltration in check-in

T1082System Information DiscoveryEvidence1

MITRE ATT&CK Mapping ... Discovery System Information Discovery T1082 /logs/sendInfo harvests hostname, OS, CPU, RAM

Command and Control

4 techniques
T1071.001Web ProtocolsEvidence1

MITRE ATT&CK Mapping ... Command and Control Application Layer Protocol: Web T1071.001 HTTPS long-poll C2 over ports 443/5000

T1105Ingress Tool TransferEvidence1

MITRE ATT&CK Mapping ... Command and Control Ingress Tool Transfer T1105 /download/{type} payload delivery

T1571Non-Standard PortEvidence1

MITRE ATT&CK Mapping ... Command and Control Non-Standard Port T1571 Port 5000 (secondary), port 9000 (binary protocol)

T1573Encrypted ChannelEvidence1

MITRE ATT&CK Mapping ... Command and Control Encrypted Channel T1573 Self-signed TLS, /obfEncDownload/

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

MITRE ATT&CK Mapping ... Exfiltration Exfiltration Over C2 Channel T1041 Stolen data returned via same HTTPS channel

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1

MITRE ATT&CK Mapping ... Impact Data Encrypted for Impact T1486 Steaelite ransomware module (reported capability)

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app3 months ago
hash.sha256●●●●●●●●●●●●View more in app4 months ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
breakglass intelNews
Mar 4, 2026
PingServer Unmasked: Live Steaelite RAT C2 on Bulletproof Infrastructure -- Error-Based Enumeration, Fake Agent Registration, and a Criminal Hosting Cluster - Breakglass Intelligence - Breakglass Intelligence

A .NET-based remote access trojan with an ASP.NET Core/Kestrel web-panel C2. It supports agent registration via /logs/sendInfo, long-poll command dispatch via /ping, payload delivery via /download/{type}, and encrypted payload retrieval via /obfEncDownload/{id}. Reported capabilities include browser credential and cookie theft, remote code execution, file management, keylogging, webcam/microphone streaming, clipboard monitoring, hidden RDP access, Defender manipulation, UAC bypass, USB propagation, crypto clipping, location tracking, and ransomware deployment.

Read more
security affairsNews
Mar 1, 2026
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 86

RAT described as enabling double-extortion attacks via a single management panel.

Read more
cso onlineNews
Feb 25, 2026
Steaelite RAT combines data theft and ransomware management capability in one tool | CSO Online

Remote access trojan (RAT) described as combining data theft functionality with ransomware management capability in a single tool.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.