New Java-Based Sayler RAT Targets Polish Speaking Users

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) came across a Java Archive (JAR) file on VirusTotal with zero detection, and subsequent analysis revealed that it is a Remote Access Trojan (RAT) identified as “Sayler.”
  • Our analysis indicates that the Sayler RAT is intentionally designed to target Polish language users.
  • Sayler RAT comprises malicious features, including a Keylogger, Information Stealer, Screen Capture, Ransomware, and additional functions.
  • The Threat Actor (TA) employs a socket connection to facilitate communication between the client and server, enabling various functions such as data exchange, remote control access, and others.
  • The RAT includes Server GUI code and utilizes Discord for exfiltration.


On October 25th, CRIL came across an undetected Java Archive (JAR) file named “Java.jar” on VirusTotal. Upon investigation, it was determined that the JAR file is a new Remote Access Trojan named “Sayler.”

Figure 1 – Identification of Sayler RAT

Sayler RAT is designed to provide covert remote access and control over a targeted computer. This RAT is stealthily installed on a system, giving the attacker the means to execute a range of unauthorized actions. These actions encompass taking control of the victim’s desktop, stealing sensitive data, capturing the screen, monitoring keystrokes, and even engaging in activities such as carrying out Ransomware attacks.

Upon further analysis, it becomes evident that numerous strings within the malware file are written in Polish. Additionally, the package name “pl.sayler” in the code also coincides with the two-letter country code “pl” for Poland. Furthermore, it’s worth noting that the file was submitted to VirusTotal from Poland. In conjunction, these factors strongly suggest that the JAR file may be designed for use in a campaign targeting Polish users.

Initial Infection

The origin of the Sayler RAT’s initial infection is unknown. The malware may infiltrate a user’s system through channels such as spam emails or deceptive phishing websites.

Technical Analysis

We have taken a Java Archive file named “Java.jar,” which has a size of 12.57 MB, for analysis.

The main class within the file is “” Inside this class, a main method is present, which internally invokes another method named “Client” with the parameters “host” and “port,” as illustrated in the figure below. This is likely intended to set up a communication channel with a remote server that is controlled by the attacker, serving purposes such as data exchange, remote access, and more.

Figure 2 – Main method


The figure below shows the Java class “Settings,” which contains various configuration settings of the malware. Notable settings include a Discord webhook URL for sending notifications, a file path for a keylogger, path for the file named “blocked” (this file is used to determine the computer’s state, indicating whether it is ‘blocked’ or ‘unblocked’), a version number, and options to enable or disable sound and menu notifications, as well as specifying whether packet communication should be asynchronous or synchronous.

Figure 3 – Settings of Sayler RAT

Main Method

Upon execution of the .jar file, the main method invokes the Client() method with the arguments “host” and “port.” This method performs the main functionalities of the malware, as illustrated in the provided code snippet below.

Figure 4 – Overall functions of the Client

The Client() method first calls the registerGlobalScreenListeners() function, which sets up global input event listeners for keyboard and mouse events using the GlobalScreen library. These listeners capture low-level keyboard and mouse input events, allowing for the recording and handling of these events, typically for further processing or logging. The code snippet for the registerGlobalScreenListeners() method is shown in the following figure.

Figure 5 – registerGlobalScreenListeners() method

Then, it invokes the checkComputerIsBlocked() method to determine the computer’s state. It checks the existence of a file named “blocked” within the RAT directory.

  • If the file is found, the function returns true, indicating that the computer is considered “blocked.”
  • Conversely, if the file is not present, the function returns false, signifying that the computer is not in a “blocked” state.

The result is then stored in the variable named computerBlocked.

Following the computer’s state check, the malware proceeds to set up multiple components, including the process killer, ransomware, screen capture, keylogger, and block computer mouse listener, as shown below.

Figure 6 – Initializing multiple components

Process Killer

The ProcessKiller class is designed to terminate specific processes (such as taskmgr.exe, regedit.exe, and SystemSettings.exe) on the computer, primarily aimed at blocking access to essential system tools. Terminating these processes is an attempt by the malware to avoid detection and interference, thereby making it more difficult for users to detect and eliminate them.

Initially, it sets the” killing” flag based on the result of the computerIsBlocked() method, which fetches its value from the computerBlocked variable. If the” killing” flag is true, it calls the start() method, which utilizes a timer-based approach to repeatedly attempt to terminate the specific processes until the “killing” flag is set to false. When the” killing” flag is False, it stops the termination operation by invoking the stop() method, as shown in the below code snippet figure.

Figure 7 – Code snippet of Process killer


The code defines a class called RansomWare, which is responsible for encryption and decryption of files. When the ransomware encrypts a file using the cryptFile() method, it essentially renames the original file by giving it a random name and appending a “.locked” extension. Subsequently, the encrypted file is moved to a new location within the ransomware directory. Notably, the code avoids encrypting files located within the ransomware directory itself. After encrypting a specified number of files, it saves the information of these encrypted files into a file within the ransomware directory.

Additionally, it provides functionality to decrypt files based on the saved information. The program can decrypt all files in the ransomware directory and delete the set of encrypted files. The RansomWare class in the provided code does not include logic for displaying a ransom note or for targeting specific file extensions for encryption. This implies that the code might be incomplete or not fully developed. The code snippet for the Ransomware class is shown in the below figure.

Figure 8 – Code snippet of Ransomware

Screen Capture

The CaptureLiveScreen class captures the live screen of the computer at fixed intervals and sends the captured image data to a Client object. The screen capture process is conditional, based on the value of the capturing variable, which sets its value based on the computer’s state (which gets its value from the computerBlocked variable). The screen capture occurs in the background, and it’s initiated and controlled by the start() and stop() methods. The code snippet for the CaptureLiveScreen class is shown in the figure below.

Figure 9 – Code snippet of the Capture screen


The class KeyLogger is designed to function as a keylogger, capturing and logging keystrokes on a computer system. It implements the NativeKeyListener interface, allowing it to monitor keyboard events. This class initializes instance variables, including the log file path, an enabled flag, and a reference to a Client object for potential data transmission. The constructor ensures the existence of the log file and a designated directory. When a key is pressed (as detected by the nativeKeyPressed method), the keylogger records it in the log file. The class also offers the ability to enable or disable the keylogger, send the log file to a remote server, and clear the log content, as shown in the following code snippet image.

Figure 10 – Code snippet of the Keylogger


The BlockComputerMouseListener class functions as an event listener for mouse and keyboard events. When it detects that the computer is in a “blocked” state, it takes actions to potentially disable or disrupt the computer, including restarting the Windows Explorer shell and initiating a system shutdown, as shown below.

Figure 11 – BlockComputerMouseListener class

Other Modules

In addition to incorporating modules for functions such as process killer, ransomware, screen capture, keylogger, and mouse interaction blocker, the malware also includes code for modules like Stealer, older versions of ransomware, and more.


The stealer code is designed to illicitly acquire sensitive data, including login credentials (usernames and passwords), browsing histories, and web data (such as credit card information) from a wide range of web browsers. These targeted browser paths are mentioned in the table below.

Opera StableAmigoSlimjetChromodo
Opera GX StableVivaldi360BrowserYandex Browser
Google ChromeOrbitumMaxthon3 
Google Chrome (x86)Mail.Ru\AtomK-Melon 
Microsoft EdgeKometaSputnik 
ChromiumComodo DragonNichrome 
Brave BrowserTorchCocCoc Browser 
Privacy BrowserComodouCozMedia\Uran 

The gathered information is stored in separate text files with filenames corresponding to the type of data, such as “browser_accs.txt” for browser accounts, “browser_cards.txt” for credit card details, and “browser_history.txt” for browsing history. Furthermore,

  • The code collects various computer-related details, such as the computer name, username, RAM information, operating system information, system version information, processor details, and the Windows product key.
  • The code gathers internet-related information, including the IP address, country name, city name, region name, version information, postal code, latitude and longitude coordinates, and the organization associated with the IP address.

In addition to browser and system data, the code is also designed to steal tokens from popular applications like Discord and Minecraft.

The image below depicts the different classes utilized by the RAT to perform data-stealing operations on the victim’s computer.

Figure 12 – Stealer functionalities

Init() Method

After the initialization of various components, the malicious code invokes the private method init(), which is responsible for configuring a graphical user interface (GUI) for a client application using the Java Swing framework. This code sets up a GUI client interface with the ability to send packets, log messages, and determine whether to send packets asynchronously or not, as shown in the code snippet below. The command-and-control (C&C) server responds in accordance with the packets it receives.

Figure 13 – Init() method

If the computerBlocked variable is set to “true”, the code calls the blockMouse() method, which is designed to block mouse input by continuously resetting the mouse cursor’s position to a specific coordinate.

Next, it calls the sendWebhookInfo() method, which sends a Discord webhook message (“New user joins the server”) with a specified username, avatar, and embedded content, including the “info” parameter and the user’s computer name, and enables TTS (Text-to-Speech) for the message, as shown in the below image. This Discord webhook is used for data exfiltration from the victim’s system.

Figure 14 – Discord webhook details

The figure below shows the Discord webhook code, which contains the malware Avatar image.

Figure 15 – Discord webhook code
Figure 16 – Avatar image used in the Discord


After sending the webhook message, it copies the malware file into the “%appdata%\Oracle\AIR” location. It creates two run registry entries for persistence, which starts the malware file every time the system starts, as depicted in the figure below.

Figure 17 – Persistence

Following that, the malware establishes a scheduled task using a Timer in Java to periodically monitor the status of a socket connection. If the socket is either null, closed, or not connected, it attempts to establish a connection using the tryConnect() method and, upon success, invokes the connected() method.

Connected() Method

Upon execution of the connected() method, it again calls the addToStartup() method to create persistence. Then, it calls the method named sendConnectedClientPacket(), which is responsible for gathering various pieces of information about the client’s system, creating a specific packet with this information, and then sending that packet to the server to notify it of the client’s connection. This information may be used for various purposes on the server side, such as tracking client connections or version management etc.

The code snippet for the connected() method is shown in the image below.

Figure 18 – Connected() method

Once the connected client system information has been sent, the code initiates a new thread to run the registerReceivePacketsListener() method in parallel with the main thread. This new thread continuously monitors an input stream for incoming objects. When an object is received and identified as a “Packet,” it proceeds to process these packets using the processReceivedPacket() method. Additionally, within the processReceivedPacket() method, a new thread is generated to manage the received packets. The received packets contain commands from the attacker specifying the operation they intend to execute.

The registerReceivePacketsListener() methodis shown in the following code snippet figure.

Figure 19 – Code snippet of registerReceivePacketsListener()

Received Packets

The Sayler RAT carries out its malicious operations based on the packets it receives from the server. These functionalities include:

Received PacketsDescription
Capture camera imageThis function allows the RAT to take pictures or access the camera feed on the infected computer.
Open/Close/Send a chat messageThe RAT can open, close, and send chat messages on the compromised system.
Requesting block/unblock computerThe RAT can request to block or unblock certain actions or functionality on the victim’s computer.
Requesting disable computerThis function disables the victim’s computer, potentially rendering it unusable.
Requesting enable/disable computer hibernateThe RAT can enable or disable the hibernation feature on the compromised computer.
Get fileThis function allows the RAT to request files from the infected computer.
Run fileIt permits the RAT to execute specific files or programs on the victim’s system.
Delete fileThis functionality allows the RAT to delete files on the infected computer.
Download fileThe RAT can use this to download files from the victim’s machine to the attacker’s server.
File TransferThis likely refers to the capability to transfer files between the compromised system and the attacker’s server.
Enable/Disable KeyLoggerThe RAT can activate or deactivate a keylogger on the victim’s computer, which records keystrokes.
Send KeyLogger LogsThis allows the RAT to transmit the recorded keylogger logs to the attacker.
Clear KeyLogger LogsThe RAT can clear or delete the logs generated by the keylogger to erase traces of its activity.
Send keyboard keysThis function enables the RAT to simulate and send keyboard inputs, potentially to control the infected system.
Block/Unblock mouseThe RAT can block or unblock mouse input, potentially restricting the victim’s actions.
Send mouse clickIt allows the RAT to simulate mouse clicks, potentially controlling the victim’s system.
Set mouse positionThe RAT can change the mouse cursor’s position on the infected computer.
Running console commandThis function lets the RAT execute command-line instructions on the victim’s machine.
Request to visit a web pageThe RAT can request the victim’s computer to open a specific web page, possibly for phishing or malicious purposes.
Block/Unblock processesIt can block or unblock specific processes running on the infected computer.
Sending process listThis function sends a list of processes running on the victim’s computer to the attacker.
Killing processThe RAT can terminate or kill specific processes on the infected system.
Ransomware crypt files processThis function is related to the encryption of files as a part of a ransomware attack.
Ransomware decrypt files processThis function is related to the decryption of files, potentially after a ransom payment.
Capture desktop screenThe RAT can capture screenshots or the desktop screen on the victim’s computer.
Requesting steal browser accountsThis function likely involves stealing login credentials from web browsers.
Requesting steal browser credit cardsIt is likely used to steal credit card information stored in web browsers.
Requesting steal browser historyThis function may be used to steal browsing history data from web browsers.
Requesting steal computer infoThis involves requesting information about the victim’s computer.
Requesting steal discord tokensThe RAT can request to steal Discord authentication tokens.
Requesting steal internet infoThis function involves requesting information about the victim’s internet connection or activity.
Console logThe RAT can generate logs for its activities, potentially for debugging or tracking purposes.

The figure below illustrates the various classes employed by the RAT to carry out malicious functions on the victim’s computer.

Figure 20 – Classes employed by the RAT to carry out malicious functions

Finally, the malware sends all the collected information through the sendWebhookInfo() function to the server in a JSON format. Conversely, if the socket is already connected, the code logs “Already connected.” This task repeats at 10-second intervals, ensuring the ongoing monitoring and maintenance of the connection status.

Server GUI

The malware also includes a server GUI code designed to create a graphical interface for server management. This interface allows the attacker to monitor and control connected clients, execute actions on them, and adjust server settings. This GUI offers an intuitive interface for an attacker to oversee their network of compromised clients, as shown in the below code snippet figure.

Figure 21 – Server GUI code snippet


The emergence of the Sayler RAT, with a specific focus on targeting Polish-speaking users, raises significant concerns in the realm of cybersecurity. This malicious software boasts a formidable arsenal of features, encompassing a Keylogger, Information Stealer, Screen Capture, Ransomware, and additional capabilities.

However, the presence of incomplete Ransomware code, lacking the logic for displaying a ransom note or selectively encrypting specific file extensions, suggests that the RAT may still be in its developmental phase. Furthermore, the utilization of Discord webhooks for data exfiltration signifies a level of sophistication in communication methods. The evolving nature of this threat underscores the importance of heightened vigilance and proactive security measures among potential victims and organizations to counter this emerging risk effectively.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • The initial breach occurs via spam emails or deceptive websites. Therefore, it’s advisable to deploy strong email filtering systems for identifying and preventing the dissemination of harmful attachments and to only download and install software applications from reputable and trusted sources.
  • Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
  • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.
  • Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
  • Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
  • Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.

MITRE ATT&CK® Techniques

Tactic TechniqueProcedure
Execution  (TA0002)Command and Scripting
Interpreter: Windows
Command Shell
cmd.exe is used to run commands like taskkill.
Persistence (TA0003)Registry Run Keys / Startup
Drops copy of the malware file to the %appdata% folder and adds Run registry entry.
Defense Evasion (TA0005)Disable or Modify Tools
The malware kills the Task manager and registry editor processes.
Defense Evasion (TA0005)Modify Registry (T1112)Modifying Windows registry.
Access (TA0006)
OS Credential Dumping
Tries to harvest and steal browser information.
Discovery (TA0007)Process Discovery (T1057)Queries a list of all running processes.
Discovery (TA0007)System Information
Discovery (T1082)
The malware gathers system information through
various methods.
Discovery (TA0007)File and Directory
Discovery (T1083)
Enumerate files and folders for ransomware
Data from Local System
Tries to harvest and steal browser information.
Non-Application Layer
Protocol (T1071)
Using sockets for network communication.

Indicators of Compromise (IOCs)

Indicators Indicator
3a285221a2ee58369c4d39d2ee508b3d d04754ca5c9853d4f5688ddafd76b125306dd01b ad79376aa24df8dab799d4fb4c5d0c913fda03bfea65cbd80923a5919bb1e9b9Md5
Sha1 Sha256
9f36aa7edd5e1f19b541f209386bc7ea ed51900e5b6bb58c116236aff1ed3dec4440702b 1349f1ac1da22cb2f2251a7e26dbc1e8716504c76d623d800e96295b8cdd00ebMd5
Sha1 Sha256

Scroll to Top