Last seven days
- First activity
- Jul 18, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 0 IP / 1 hostnames
Sakula is a Windows malware family, also referred to as Sakurel and Viper, that functions as a backdoor/RAT with command-and-control over HTTP using GET and POST requests.
Profile source: Mallory opens in a new tabSakula
Sakula is a Windows malware family, also referred to as Sakurel and Viper, that functions as a backdoor/RAT with command-and-control over HTTP using GET and POST requests. Reported samples encode C2 traffic with single-byte XOR keys. Sakula has been observed using DLL side-loading for execution, including abuse of digitally signed binaries such as Kaspersky Anti-Virus and McAfee Outlook Scan About Box to load malicious DLLs. It contains UAC bypass code for both 32-bit and 64-bit systems, can install itself as a Windows service for persistence, and uses cmd.exe to execute DLLs via rundll32 as well as to delete temporary files and perform cleanup. Some reporting also notes reverse shell capability. The malware is notably linked in reporting to the 2015 U.S. Office of Personnel Management (OPM) breach; in 2017, Chinese national Yu Pingan was arrested on charges of providing Sakula used in the OPM data breach and other cyber intrusions. High-confidence behavioral indicators mentioned in the content include HTTP-based C2, single-byte XOR-obfuscated traffic, DLL side-loading via signed applications, service-based persistence, rundll32 execution through cmd.exe, temporary file deletion, and embedded UAC bypass functionality.
C2 tracking
Derp observations, rolling seven-day window
Samples
5d1ec770f05e5f7cae66156d18c5ad3bf4609b505c04dedfe1a5554d50ebf89a 76b3e5953c0e4fe7de3847b154d66a01252d264f5429e7f8b667c07bba6c87d0 bc153fdad894cdff40ce4adf938437544fa0fbf5e7dca8c7588727d875d6c77c c5cd98feefa5728dc0f178d6bbedeb4e97c1fb384d4d28b1da0f1def8e273982 e01de528a45c91c0e9f3356428683ca269792698fb1a6c3fb15e3fc8fc56e155 MITRE ATT&CK
Reporting
Like the previously documented Sakula malware family identified by Dell SecureWorks researchers, it likely uses HTTP GET and POST requests for command and control (C2) communications.
Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.
"In 2017, Chinese national Yu Pingan was arrested on charges of providing the 'Sakula' malware used in the OPM data breach and other cyberintrusions."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.