TLDR
- Microsoft identified a new remote access trojan (StilachiRAT) that targets 20 cryptocurrency wallet extensions in Google Chrome
- The malware can steal browser credentials, wallet information, and clipboard data while using evasion techniques to avoid detection
- StilachiRAT creates a unique device ID, monitors RDP sessions, and establishes communication with command-and-control servers
- The malware can execute 10 different commands including system shutdown, log clearing, and application launching
- Despite not being widespread currently, Microsoft released the information to help users protect themselves from this emerging threat
Microsoft has discovered a new type of malware specifically designed to steal cryptocurrency. The tech company’s Incident Response Team first found the remote access trojan (RAT) in November 2024.
The malware, named StilachiRAT, targets cryptocurrency wallets through Google Chrome browser extensions. Microsoft shared their findings in a March 17 blog post.
StilachiRAT can steal sensitive information stored in browsers. This includes saved login credentials, digital wallet details, and data copied to the clipboard.
The malware works by looking for 20 different cryptocurrency wallet extensions. These include popular wallets like Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet.
Once installed, StilachiRAT scans your device settings. It checks if any of the targeted wallet extensions are present on your system.
The trojan uses several methods to steal information. It can extract credentials saved in Chrome’s local state file.
It also monitors clipboard activity. This allows it to capture sensitive information like passwords and crypto keys as users copy them.
Microsoft explained that StilachiRAT has features to avoid detection. These include the ability to clear event logs.
The malware can also check if it’s running in a test environment. This helps it block attempts to analyze how it works.
Currently, Microsoft cannot identify who created the malware. They haven’t linked it to any specific threat actor or location.
The company stated that StilachiRAT doesn’t appear to be widespread right now. However, they decided to share their findings to help protect users.
“Due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings,” Microsoft wrote. This is part of their effort to monitor and report on evolving threats.
Inside StilachiRAT: Theft Tactics Revealed
StilachiRAT gathers extensive system information. This includes operating system details, hardware identifiers, and camera presence.
The malware creates a unique identification on infected devices. This ID is derived from the system’s serial number and attackers’ public RSA key.
StilachiRAT connects to remote command-and-control servers. It uses TCP ports 53, 443, or 16000, selected randomly for communication.
The malware checks for the presence of monitoring tools. It won’t proceed if it detects certain security software running.
StilachiRAT delays its initial connection by two hours. This is likely an attempt to avoid detection during security scans.
The malware can be launched both as a Windows service or a standalone component. It has mechanisms to ensure it isn’t removed from the system.
A watchdog thread monitors both the EXE and dynamic link library files. If these files are deleted, they can be recreated from an internal copy.
StilachiRAT can execute various commands received from the control servers. These include system reboots, log clearing, credential theft, and executing applications.
The malware can also suspend the system, modify Windows registry values, and monitor open windows. This shows a versatile command set for both spying and system control.
Microsoft recommends several protection measures. Users should have antivirus software and cloud-based anti-phishing components on their devices.
The company advises downloading software only from official websites or trusted sources. This helps avoid RATs that masquerade as legitimate software.
Microsoft encourages users to use browsers that support SmartScreen. This feature can identify and block malicious websites, including phishing sites.
For organizations using Office 365, Microsoft recommends enabling Safe Links and Safe Attachments. These features provide additional protection against malicious content.
The rise of StilachiRAT comes amid increasing cryptocurrency-related crime. According to blockchain security firm CertiK, losses to crypto scams and hacks totaled nearly $1.53 billion in February alone.
Blockchain analytics firm Chainalysis reported $51 billion in illicit transaction volume in their 2025 Crypto Crime Report. They noted that crypto crime has entered a more professional era.
The report highlighted AI-driven scams, stablecoin laundering, and efficient cyber criminal organizations. These tactics show how crypto theft methods continue to evolve.
Microsoft continues to monitor information about how StilachiRAT spreads. They note that malware like this can be installed through multiple vectors.
The company emphasizes that security hardening measures are critical. These help prevent initial compromise and reduce the potential impact of such threats.
