TLDR
- A new remote access trojan, identified as StilachiRAT, has been detected by Microsoft, highlighting its focus on compromising 20 different cryptocurrency wallet extensions within the Google Chrome environment.
- This malware can pilfer browser credentials, wallet information, and clipboard data, all while expertly eluding detection.
- StilachiRAT crafts a distinct device identifier, monitors remote desktop sessions, and establishes communication channels with command-and-control servers.
- The malware is capable of executing a series of 10 commands, which include system shutdowns, clearing log data, and launching applications.
- Even though StilachiRAT is not currently widespread, Microsoft has disclosed this information to aid users in safeguarding themselves against this developing menace.
Microsoft has brought to light a new kind of malware specifically engineered to filch cryptocurrency. Their Incident Response Team uncovered the remote access trojan (RAT) in November 2024.
Known as StilachiRAT, this malware targets cryptocurrency wallets through browser extensions used in Google Chrome. Microsoft's revelations were shared in a blog post on March 17.
StilachiRAT is adept at stealing delicate information stored within web browsers, such as saved logins, cryptocurrency wallet particulars, and data copied to the clipboard.
This malicious software hunts for 20 different cryptocurrency wallet extensions, including well-known names such as Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet.
Upon installation, StilachiRAT meticulously scans the device settings to detect whether any of the targeted wallet extensions are present.
The trojan uses numerous techniques to capture information, including extracting credentials lodged in Chrome’s local state file.
Furthermore, it keeps a watchful eye on clipboard activities, enabling the capture of sensitive data such as passwords and crypto keys whenever users copy this information.
Microsoft detailed that StilachiRAT is equipped with stealth features to avoid detection, among these is the clearance of event logs.
The malware can also discern if it's running within a test environment, which aids in obstructing analysis of its operations.
So far, Microsoft hasn’t pinpointed the creator of the malware nor linked it to any specific threat actors or locations.
They noted that StilachiRAT doesn’t seem to be prevalent at the moment but chose to disclose their insights to bolster user protections.
\"Due to its sophisticated evasion skills and the rapid evolution within the malware domain, we've issued these findings,\" Microsoft's statement read, reflecting their commitment to keeping tabs on emerging threats.
Exploring StilachiRAT: Strategies of Deception Unveiled
StilachiRAT amasses a broad spectrum of system details, encompassing operating system information, hardware identifiers, and even the presence of cameras.
The malware forges a unique identifier on infiltrated devices, deriving this ID from the system’s serial number and the attackers’ public RSA key.
StilachiRAT links up with command-and-control servers remotely, leveraging TCP ports 53, 443, or 16000, chosen randomly for communication.
The malware actively checks for security tools, halting its operations if certain security software is detected.
To outwit security scans, StilachiRAT delays its initial network connection for two hours post-launch.
This malware can be deployed as either a Windows service or a standalone application, incorporating robust methods to avoid removal from compromised systems.
A watchdog thread vigilantly monitors both the EXE and dynamic link library files, ensuring they can be reconstructed from internal copies if deleted.
StilachiRAT can execute a variety of commands received from command servers, such as rebooting the system, clearing logs, seizing credentials, and running applications.
In addition, the malware can suspend the system, tweak Windows registry entries, and observe open windows, showcasing an adaptable command set for both surveillance and system manipulation.
Microsoft advocates a series of safeguarding strategies, urging users to have antivirus and cloud-based anti-phishing measures on their systems.
They advise obtaining software solely from official platforms or reliable sources, a precaution against RATs disguised as legitimate programs.
Microsoft emphasizes the use of browsers with SmartScreen support, a feature capable of identifying and blocking harmful websites, including phishing sites.
For businesses utilizing Office 365, Microsoft suggests enabling Safe Links and Safe Attachments for enhanced protection against harmful content.
The emergence of StilachiRAT is set against the backdrop of rising cryptocurrency-related criminal activities. CertiK, a blockchain security company, reported almost $1.53 billion in losses to crypto scams and hacks as of February.
Chainalysis, a blockchain analytics organization, recorded $51 billion in illicit transaction volume in their 2025 Crypto Crime Report, indicating that crypto crime has evolved into a more professional field.
The report underscored new methods such as AI-powered scams, stablecoin laundering networks, and efficient cybercrime organizations, underscoring the continued evolution of crypto-theft tactics.
Microsoft keeps vigilant eyes on how StilachiRAT propagates, noting the vulnerability to various modes of installation for malware like this.
The organization underscores the importance of bolstering security defenses, vital for preventing initial breaches and minimizing these threats' effects.
