In early 2026, IIJ discovered unknown malware contained in a ZIP file uploaded from Japan to a public malware repository. The malware analysis has uncovered a highly capable Remote Access Trojan (RAT), internally identified as SLOTAGENT, based on embedded strings and file path artifacts. This malware demonstrates advanced post-exploitation capabilities, including support for executing Beacon Object File (BOF) payloads—functionality commonly associated with frameworks like Cobalt Strike. Additionally, it employs anti-forensic techniques such as time stomping, making detection and timeline analysis significantly more difficult.
The infection chain begins with the execution of a malicious binary, WindowsOobeAppHost.AOT.exe, which triggers the export function __managed__Main from a companion DLL file. Upon execution, the malware dynamically resolves Windows API calls using a custom API hashing mechanism based on XOR and ROR11 operations. This obfuscation technique helps evade static analysis and signature-based detection.
Next, encrypted data from a configuration file (db.config) is decrypted using RC4 encryption with a predefined key. The decrypted payload is then executed as shellcode via low-level Windows functions such as NtCreateThreadEx. This shellcode contains an XOR-encoded DLL payload, which is decoded using a 16-byte key and loaded reflectively into memory—further avoiding detection by traditional security tools.
Once active, SLOTAGENT establishes communication with a hardcoded command-and-control (C2) server over TCP using a proprietary protocol. Data transmission follows a structured format: a 4-byte length field, a path string (e.g., /api/v1/stream/data), and a JSON payload separated by delimiters. The malware sends system information during initial communication and continues to exchange command execution results in JSON format.
To hinder reverse engineering, SLOTAGENT uses multiple layers of obfuscation. API calls are resolved via a DJB2-based hashing algorithm, and most internal strings—including command names—are encrypted using a TEA-like algorithm. These strings are only decrypted at runtime, complicating static analysis. To assist defenders, an IDAPython script has been developed to statically decrypt these strings, aiding in threat hunting and incident response.
| Command name | explanation |
|---|---|
screenshot | Take a screenshot (BMP format) |
download | Download the file |
shell | Execute a remote shell |
sysinfo | Retrieve system information |
ps | Get information about running processes |
ls | Get the paths of files and folders in the working directory. |
pwd | Get the path to the current working directory. |
upload | Upload a file (1) |
sleep | Change the communication interval with the C2 server. |
kill | taskkillUse a command to kill any process |
cat | Get the contents of the file |
write | Writing strings to a file |
rm | Delete files |
touch | $SITamper with the timestamp in the file attributes. |
bof | Run BOF (Beacon Object File) |
savememory | Obtain a memory dump of the process |
upload_chunked | Upload a file (2) |
download_url | Download the file from the specified URL. |
exit | Terminate malware execution |
destroy | Delete the files associated with the malware and terminate its execution. |
Our Opinion on the SLOTAGENT Threat Landscape
SLOTAGENT represents a clear evolution in commodity malware, blending techniques traditionally seen in advanced persistent threats (APTs) with modular and reusable components. Its ability to execute BOF payloads and reflectively load DLLs suggests that attackers are increasingly adopting red-team tooling for real-world attacks. This convergence raises the bar for defenders, as traditional antivirus solutions may struggle to detect such behavior-driven threats.
The use of layered encryption, API hashing, and custom communication protocols indicates a deliberate effort to evade both static and dynamic analysis. These techniques are not novel individually, but their combined implementation in SLOTAGENT demonstrates a mature development approach. This is particularly concerning for organizations lacking advanced endpoint detection and response (EDR) capabilities.
From a defensive standpoint, behavioral monitoring and memory analysis are critical. Indicators such as unusual API resolution patterns, reflective DLL loading, and anomalous outbound TCP connections should be prioritized in detection strategies. The availability of tools like IDAPython scripts for decrypting obfuscated strings is a positive step, but proactive threat hunting and continuous monitoring remain essential.
In conclusion, SLOTAGENT is not just another RAT—it is a signal of how modern malware is evolving. Organizations must adapt by investing in deeper visibility, threat intelligence integration, and skilled analysis to stay ahead of such threats.
IOCs:
| e62bbb6d100cac48018170a991f34dddfcbd0ca2b8f020800f97c85ef690e41b | ZIP archive containing the files required for execution |
| 97e0714ee7279feb558aa38ab9d4c279731d3000c501aff7ad5c2967c3cb987f | Encrypted SLOTAGENT ( db.config) |
| c1681d3aae736585c1dd656fe3ad66dafd3712ad4125e09fc97a4f1e5f367548 | SLOTAGENT loader ( WindowsOobeAppHost.AOT.dll) |
| a9c46b67ff938930b16b377df9ddf86f3a56ef9876267387f30299a069c98472 | SLOTAGENT (executes in memory) |
