Skip to content
Malware family

Sality

Sality is a long-running Windows malware family first discovered in 2003 and widely recognized as a polymorphic file infector and botnet/downloader platform.

Profile source: Mallory opens in a new tab

Sality

Family profile

Sality is a long-running Windows malware family first discovered in 2003 and widely recognized as a polymorphic file infector and botnet/downloader platform. It infects Microsoft Windows system files, especially .EXE and .SCR executables, and spreads by infecting local files, replicating across network shares, and in some variants copying infected files to removable drives together with autorun.inf or related launcher files. Infected hosts join a decentralized peer-to-peer network over custom UDP-based communications, allowing bots to exchange signed URL lists and retrieve additional malware; later botnet versions also used attacker digital signatures to resist hostile takeover. Reported follow-on payloads distributed through Sality included spam relays, HTTP proxies, information stealers, website infectors, credential theft components, and distributed cracking tools.

The family evolved from earlier information-stealing variants into a more full-featured threat with process injection, in-memory loading, downloader functionality, anti-security behavior, and rootkit capabilities. Reported behaviors include injecting code into running processes, creating mutexes to avoid duplicate infection, dropping DLL components such as %SYSTEM%\\wmdrtc32.dll and compressed copies such as %SYSTEM%\\wmdrtc32.dl_, and in some variants dropping a randomly named driver into %SYSTEM%\\drivers and creating the service/rootkit device amsint32. Sality variants have been reported to terminate antivirus and security processes and services, block access to security vendor resources, weaken host defenses through registry modification, delete SafeBoot registry data to prevent Safe Mode booting, hide files, steal cached passwords and keystrokes, and exfiltrate sensitive data. Symantec reported a mutex named uxJLpe1m as a strong indicator of infection.

Sality has been described as highly resilient because it combines file infection with a decentralized P2P botnet architecture. The malware has been associated with botnet activity used to relay spam, proxy communications, exfiltrate data, compromise web servers, and coordinate distributed computing tasks such as password cracking. Symantec reported hundreds of thousands of infected machines in 2011, with active botnet versions 3 and 4, and the content states heavily affected countries included India, Vietnam, and Morocco. The malware has also been referenced in later telemetry as a persistent commodity threat and as resurging in 2025 command-and-control detections.

Observed indicators and artifacts mentioned in the content include the mutex uxJLpe1m; DLL paths such as %SYSTEM%\\wmdrtc32.dll and %SYSTEM%\\wmdrtc32.dl_; the rootkit/service name amsint32; and, in one 2019 contamination case involving Pinebook Pro boot partitions, files augjb.pif, kithj.pif, and autorun.inf with SHA256 hashes 6245eb607e53209126191e4b6cdf7d64f52394f6bc6a2a9529a28ed49be19c82, 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4, and f5adcd0989f9c4033fcd214e8998dde85865c6bf178c4eaed94128e6f5389bd6 respectively; associated URLs hxxp://padrup[.]com[.]ds/sobaka1[.]gif and hxxp://paaaaad[.]fd[.]fd; and UDP contacts including 118.136.16.138:5614, 180.247.53.107:7866, 86.107.231.10:7534, 93.114.69.232:5684, 220.247.166.100:4492, 202.177.246.59:6715, 189.122.188.39:7538, 89.38.237.65:5064, 188.215.25.69:6310, 14.96.75.194:6130, 212.76.78.10:6260, 14.98.120.25:6740, 112.204.145.248:5300, and 200.8.145.17:6780.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 18, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
1 IP / 6 hostnames

Leading locations

  • DE3
  • IT1
  • US1

Leading providers

  • Leaseweb Deutschland GmbH3
  • Amazon.com, Inc.1
  • BT Italia S.p.A.1

Infrastructure traits

  • Hosting 4

Samples

Recent associated samples

Reported operators

Threat actors

1 named in public reporting
SALTY SPIDER

Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.

Exploited software

Vulnerabilities linked to Sality

1 CVEs

MITRE ATT&CK

Sality in ATT&CK

34 distinct techniques

Reporting

Research mentioning Sality

Aug 29
Scworld

State-sponsored attacks now make up 53% of vulnerability exploits

The Sality malware family overtook LummaC2 as the most popular malware observed in command-and-control (C2) detection references.

Mar 9
Vulncheck

The VulnCheck 2022 Exploited Vulnerability Report - Missing CISA KEV Catalog Entries

โ€œ...the cracking software drops malware on the host machine in order to join it to the Sality botnet.โ€

May 9
Cisa Advisories

Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA

Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.

Nov 9
Dissecting Malware

About PINEs and supply chain attacks gone wrong

The initial VirusTotal Analysis revealed that the Files in question were related to the Sality Botnet.

Jan 30
Eset Welivesecurity

Walking through Win32/Jabberbot.A instant messaging C&C

We've seen peer-to-peer protocols, some custom (Sality), some standard (Win32/Storm uses the eDonkey P2P protocol).

Apr 22
Wikipedia En

Sality - Wikipedia

Sality is the classification for a family of malicious software infecting Microsoft Windows system files. Sality was first discovered in 2003... Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxy communications, exfiltrate sensitive data, compromise web servers, and/or coordinate distributed computing tasks.

Jun 18
Wikipedia Cyber Incidents

Operation: Bot Roast - Wikipedia

Listed under โ€œNotable botnetsโ€: โ€œSality โ€ฆโ€

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.