{
  "family": "sality",
  "sample_count": 18572,
  "category": "file_infector",
  "description": "Sality is a long-running polymorphic file infector and peer-to-peer botnet family active since 2003 that infects executable files and connects victims to a decentralized P2P network used for spam, credential theft, and additional payload delivery. Its decentralized architecture makes Sality unusually resilient to takedown because there is no central command server to disrupt. Sality infects Windows PE files, modifies the registry for persistence, and disables security software. It remains a common finding in legacy or poorly-maintained Windows environments.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "sector",
    "kuku",
    "kookoo",
    "sectorx"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Sality?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Sality is a long-running polymorphic file infector and peer-to-peer botnet family active since 2003 that infects executable files and connects victims to a decentralized P2P network used for spam, credential theft, and additional payload delivery. Its decentralized architecture makes Sality unusually resilient to takedown because there is no central command server to disrupt. Sality infects Windows PE files, modifies the registry for persistence, and disables security software. It remains a common finding in legacy or poorly-maintained Windows environments."
      }
    },
    {
      "@type": "Question",
      "name": "How does Sality spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Sality is a polymorphic file infector spreading through infected executables on network shares, removable media, and through peer-to-peer file sharing."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Sality infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Modified executable files across the system, disabled security software, peer-to-peer botnet traffic, and AV detections for Sality, Sector, or Kookoo are signature."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Sality on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1027",
    "T1547.001",
    "T1559"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}