Sality is a long-running family of file-infecting Windows viruses. As documented by Malpedia (Fraunhofer FKIE), which cites F-Secure, the family has circulated in the wild since as early as 2003 and has been continually developed over the years with added capabilities such as rootkit and backdoor functionality, keeping it an active threat despite its age. It typically infects executable files on local, shared, and removable drives. Modern Sality variants can communicate over a peer-to-peer (P2P) network, allowing an operator to control a botnet of infected machines whose combined resources may be used for further malicious activity, such as attacking routers. The family is associated with the threat actor tracked as Salty Spider.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1027.001 T1562.001 T1055 T1090.001 T1547.001 T1080
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_SALITY {
meta:
description = "Detects Sality (file_infector)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "sality" ascii wide nocase
$s2 = "win32.sality" ascii wide nocase
$s3 = "sality.ae" ascii wide nocase
$s4 = "sality.gen" ascii wide nocase
$s5 = "kuku" ascii wide nocase
$s6 = "sality_p2p" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Sality Activity
id: feb308e1bd7c2b15631395fbc7020e3c
status: experimental
description: Detects generic indicators of the sality malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*sality*"
- "*win32.sality*"
- "*sality.ae*"
- "*sality.gen*"
- "*kuku*"
- "*sality_p2p*"
condition: selection
level: mediumSality is a family of file-infecting Windows viruses. According to Malpedia, citing F-Secure, it has circulated since as early as 2003 and infects executable files, and modern variants form a peer-to-peer botnet of infected machines.
Malpedia notes that Sality viruses typically infect executable files on local, shared, and removable drives. By attaching its code to legitimate executables, the virus spreads as those infected files are copied or run on other systems.
Per Malpedia, modern Sality variants can communicate over a peer-to-peer (P2P) network, which lets an attacker control a botnet of Sality-infected machines. The combined resources of that botnet may be used for further malicious actions, such as attacking routers.
Malpedia, citing F-Secure, explains that Sality has been developed and improved over the years with new features such as rootkit and backdoor functionality. This continued development has kept the family active and relevant despite the relative age of the malware.
Sality is detected under names including Win32/Sality and variant labels such as Sality.AE and Sality.gen, and is also historically associated with the name Kuku. Malpedia tracks the family under the symbol win.sality and associates it with the threat actor Salty Spider.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/sality.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.