The sub-techniques beta is now live! Read the release blog post for more info.


Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.[1][2]

ID: S0345
Platforms: Windows
Version: 1.0
Created: 30 January 2019
Last Modified: 12 February 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.[1]

Enterprise T1094 Custom Command and Control Protocol

Seasalt uses a custom binary protocol for C2.[1]

Enterprise T1083 File and Directory Discovery

Seasalt has the capability to identify the drive type on a victim.[2]

Enterprise T1107 File Deletion

Seasalt has a command to delete a specified file.[1]

Enterprise T1036 Masquerading

Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.[1]

Enterprise T1050 New Service

Seasalt is capable of installing itself as a service.[1]

Enterprise T1027 Obfuscated Files or Information

Seasalt obfuscates configuration data.[1]

Enterprise T1057 Process Discovery

Seasalt has a command to perform a process listing.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Seasalt creates a Registry entry to ensure infection after reboot under HKLM\Software\Microsoft\Windows\currentVersion\Run.[2]

Enterprise T1105 Remote File Copy

Seasalt has a command to download additional files.[1][1]

Enterprise T1071 Standard Application Layer Protocol

Seasalt uses HTTP for C2 communications.[1]

Groups That Use This Software

ID Name References
G0006 APT1 [1] [2]