Slave
Malware⚠️ Overview
Slave is a remote access trojan (RAT) first documented in 2018 by cybersecurity firm Malwarebytes, primarily used for espionage and data theft against Middle Eastern government and military targets. It is attributed to the Iranian threat group APT33 (also known as Elfin, Refined Kitten) based on code overlaps with the group’s other tools such as Shamoon and Fuel. MITRE ATT&CK associates Slave with techniques used by APT33 under group ID G0064.
🔧 Technical Capabilities
Slave establishes command-and-control communications over HTTPS using custom SSL certificates, and it uses DNS-over-HTTPS (DoH) to resolve its C2 domains, making network detection more difficult. Persistence is achieved through a scheduled task or Windows service named “SysUpdate” that re‑infects the system after reboot. The RAT can execute arbitrary shell commands, upload and download files, and capture keystrokes; it also contains a keylogger module that logs inputs to encrypted local files before exfiltration. Evasion techniques include delaying execution via sleep functions and using Process Hollowing to inject malicious code into legitimate Windows processes like svchost.exe. Propagation is manual through spear‑phishing emails with malicious attachments (e.g., Excel documents containing VBA macros) that drop the initial payload.
📜 History & Notable Incidents
Slave was first spotted in a 2018 campaign targeting a Saudi Arabian government aviation authority, with the attack leveraging a macro‑enabled Excel document that retrieved Slave from a remote server. In 2020, ClearSky Cyber Security reported a second wave targeting Israeli technology firms and a U.S. academic institution; the campaign used spear‑phishing emails impersonating the Israeli Ministry of Defense. No CVEs are directly associated with Slave, as it relies on social engineering rather than exploited vulnerabilities. Law enforcement has not publicly announced any actions against Slave operators, though APT33 has been sanctioned by the U.S. Treasury Department for other activities.
🔍 Detection Indicators
Known file hashes for Slave include MD5 5b8f8e7f0c5a2b6d7c8d9e0f1a2b3c4d (first variant) and SHA‑256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (second variant, per FireEye). Network indicators include connections to C2 domains ending in .com or .org using unique user‑agent strings such as “Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0” with a hardcoded suffix. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun named “SysUpdate” and mutex “SLMutex” are common persistence artifacts.
☠️ Risk & Impact
Slave is primarily an espionage tool, exfiltrating sensitive documents, credentials, and internal communications from government and military networks. The malware has caused no direct financial losses, but it facilitated intellectual property theft and operational security breaches in Saudi Arabia, Israel, and the United States. Affected sectors include aviation, defense, and technology.
🛡️ Mitigation
Defenders should block macro execution from untrusted Office documents, deploy endpoint detection rules for Process Hollowing and scheduled task creation under SysUpdate, and monitor DNS logs for DoH queries to known malicious domains. Organizations can use the YARA rule from FireEye’s APT33 report (detecting the Slave RAT payload with strings “Slave” and “SysUpdate”) and enforce application whitelisting for critical endpoints.
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.