Microsoft Uncovers StilachiRAT Targeting Cryptocurrency Wallets

Microsoft has recently uncovered a new and sophisticated remote access trojan (RAT) named StilachiRAT, which specifically targets cryptocurrency wallet extensions within the GoogleGOOGL-- Chrome browser. This discovery highlights the increasing sophistication of cybercriminal tactics aimed at exploiting digital assets and underscores the urgent need for enhanced security measures among cryptocurrency users.

First identified by Microsoft’s Incident Response Team in November 2024, StilachiRAT employs advanced techniques designed to evade detection and maintain persistence within compromised systems. The malware is engineered to exfiltrate a broad spectrum of sensitive data, including credentials stored in the browser, digital wallet information, clipboard data, and comprehensive system details. This capability allows attackers to access usernames and passwords stored within the browser, thereby facilitating unauthorized entry into various accounts.

StilachiRAT’s primary focus is on cryptocurrency wallet extensions used within the Google Chrome browser. The malware scans for configuration data from over 20 different wallet extensions, including MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Bitget Wallet, and Phantom. By targeting these extensions, StilachiRAT aims to harvest sensitive information that could lead to unauthorized access and potential theft of digital assets.

To ensure its stealth and persistence, StilachiRAT employs several sophisticated strategies. These include anti-forensic measures, such as deleting system logs and checking computer settings before executing commands, thereby minimizing traces of its presence. Additionally, the malware can execute a variety of commands received from its command-and-control (C2) server, including rebooting the system, clearing logs, stealing credentials, launching applications, and manipulating system windows.

As of now, StilachiRAT has not been widely distributed, and MicrosoftMSFT-- has not attributed it to any known threat actor or geographic region. However, due to its stealth capabilities and the rapid changes within the malware ecosystem, Microsoft has shared these findings as part of its ongoing efforts to monitor, analyze, and report on the evolving threat landscape.

In light of this discovery, users are advised to exercise heightened caution, particularly when handling cryptocurrency wallet extensions. Recommendations include avoiding the storage of sensitive information in browsers, maintaining updated security software, and being cautious with downloads and links from untrusted sources. By implementing these precautions, users can significantly reduce the risk of falling victim to threats like StilachiRAT and safeguard their digital assets against unauthorized access.