Last seven days
- First activity
- Jul 18, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 1 IP / 6 hostnames
Sality is a long-running Windows malware family first discovered in 2003 and widely recognized as a polymorphic file infector and botnet/downloader platform.
Profile source: Mallory opens in a new tabSality
Sality is a long-running Windows malware family first discovered in 2003 and widely recognized as a polymorphic file infector and botnet/downloader platform. It infects Microsoft Windows system files, especially .EXE and .SCR executables, and spreads by infecting local files, replicating across network shares, and in some variants copying infected files to removable drives together with autorun.inf or related launcher files. Infected hosts join a decentralized peer-to-peer network over custom UDP-based communications, allowing bots to exchange signed URL lists and retrieve additional malware; later botnet versions also used attacker digital signatures to resist hostile takeover. Reported follow-on payloads distributed through Sality included spam relays, HTTP proxies, information stealers, website infectors, credential theft components, and distributed cracking tools.
The family evolved from earlier information-stealing variants into a more full-featured threat with process injection, in-memory loading, downloader functionality, anti-security behavior, and rootkit capabilities. Reported behaviors include injecting code into running processes, creating mutexes to avoid duplicate infection, dropping DLL components such as %SYSTEM%\\wmdrtc32.dll and compressed copies such as %SYSTEM%\\wmdrtc32.dl_, and in some variants dropping a randomly named driver into %SYSTEM%\\drivers and creating the service/rootkit device amsint32. Sality variants have been reported to terminate antivirus and security processes and services, block access to security vendor resources, weaken host defenses through registry modification, delete SafeBoot registry data to prevent Safe Mode booting, hide files, steal cached passwords and keystrokes, and exfiltrate sensitive data. Symantec reported a mutex named uxJLpe1m as a strong indicator of infection.
Sality has been described as highly resilient because it combines file infection with a decentralized P2P botnet architecture. The malware has been associated with botnet activity used to relay spam, proxy communications, exfiltrate data, compromise web servers, and coordinate distributed computing tasks such as password cracking. Symantec reported hundreds of thousands of infected machines in 2011, with active botnet versions 3 and 4, and the content states heavily affected countries included India, Vietnam, and Morocco. The malware has also been referenced in later telemetry as a persistent commodity threat and as resurging in 2025 command-and-control detections.
Observed indicators and artifacts mentioned in the content include the mutex uxJLpe1m; DLL paths such as %SYSTEM%\\wmdrtc32.dll and %SYSTEM%\\wmdrtc32.dl_; the rootkit/service name amsint32; and, in one 2019 contamination case involving Pinebook Pro boot partitions, files augjb.pif, kithj.pif, and autorun.inf with SHA256 hashes 6245eb607e53209126191e4b6cdf7d64f52394f6bc6a2a9529a28ed49be19c82, 37f1b6394a408e0a959b82ff118a526c1362b4ddc1db5da03c9ffa70acaebff4, and f5adcd0989f9c4033fcd214e8998dde85865c6bf178c4eaed94128e6f5389bd6 respectively; associated URLs hxxp://padrup[.]com[.]ds/sobaka1[.]gif and hxxp://paaaaad[.]fd[.]fd; and UDP contacts including 118.136.16.138:5614, 180.247.53.107:7866, 86.107.231.10:7534, 93.114.69.232:5684, 220.247.166.100:4492, 202.177.246.59:6715, 189.122.188.39:7538, 89.38.237.65:5064, 188.215.25.69:6310, 14.96.75.194:6130, 212.76.78.10:6260, 14.98.120.25:6740, 112.204.145.248:5300, and 200.8.145.17:6780.
C2 tracking
Derp observations, rolling seven-day window
Samples
062ae62dcb0d1842a9893eaff59ebcbb4b62c9bdcad1388743de8392cfa5f39a 5003913e164cc7faea1f7036aeb3fcf6b3fc5d93de8a25373c150ab9f09ec52c 6cd13252e333f2a56c1aeacd813b5b0a9b8a3c8a69ea5511b25e3e58b9807f31 bd69d700ab172f5dfee16ad1d5e5e8086345be82cfc17f437caac1a09fc591a3 e9e0bbce82e6cd70897abbd311ded01ee51affd818367d5af89ba489b7fb9253 039aa6ed2c8ba9296d3e9c80cfadefbc15c6a826540409cb1d674a6d4b34b2e3 0f03fb0dc7ac990e053fd178ce0e6e42b1f59d1f67a084983e2280846535e372 39f0e94ace33efff622db045da345eb3ad1085cde65d6713e8ad401978ad8d9c 65b4d71ac83c1e6590e3556a944a2f9e9b8a24aa0739e899c3ca9d2ec7155541 96654e004f665412589192daffde1feef8fef9d1214cd6b245ac1711bed0f0d0 Reported operators
Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.
Exploited software
MITRE ATT&CK
Reporting
The Sality malware family overtook LummaC2 as the most popular malware observed in command-and-control (C2) detection references.
โ...the cracking software drops malware on the host machine in order to join it to the Sality botnet.โ
Sality is a polymorphic file infector that was discovered in 2003; since then, it has been replaced by more advanced peer-to-peer (P2P) malware loaders.
The initial VirusTotal Analysis revealed that the Files in question were related to the Sality Botnet.
We've seen peer-to-peer protocols, some custom (Sality), some standard (Win32/Storm uses the eDonkey P2P protocol).
Sality is the classification for a family of malicious software infecting Microsoft Windows system files. Sality was first discovered in 2003... Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxy communications, exfiltrate sensitive data, compromise web servers, and/or coordinate distributed computing tasks.
Listed under โNotable botnetsโ: โSality โฆโ
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.