Skip to content
Malware family

Sakula

Sakula is a Windows malware family, also referred to as Sakurel and Viper, that functions as a backdoor/RAT with command-and-control over HTTP using GET and POST requests.

Profile source: Mallory opens in a new tab

Sakula

Family profile

Sakula is a Windows malware family, also referred to as Sakurel and Viper, that functions as a backdoor/RAT with command-and-control over HTTP using GET and POST requests. Reported samples encode C2 traffic with single-byte XOR keys. Sakula has been observed using DLL side-loading for execution, including abuse of digitally signed binaries such as Kaspersky Anti-Virus and McAfee Outlook Scan About Box to load malicious DLLs. It contains UAC bypass code for both 32-bit and 64-bit systems, can install itself as a Windows service for persistence, and uses cmd.exe to execute DLLs via rundll32 as well as to delete temporary files and perform cleanup. Some reporting also notes reverse shell capability. The malware is notably linked in reporting to the 2015 U.S. Office of Personnel Management (OPM) breach; in 2017, Chinese national Yu Pingan was arrested on charges of providing Sakula used in the OPM data breach and other cyber intrusions. High-confidence behavioral indicators mentioned in the content include HTTP-based C2, single-byte XOR-obfuscated traffic, DLL side-loading via signed applications, service-based persistence, rundll32 execution through cmd.exe, temporary file deletion, and embedded UAC bypass functionality.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 18, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
0 IP / 1 hostnames

Leading locations

  • US1

Leading providers

  • Amazon.com, Inc.1

Infrastructure traits

  • Hosting 1

Samples

Recent associated samples

MITRE ATT&CK

Sakula in ATT&CK

15 distinct techniques

Reporting

Research mentioning Sakula

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.