Microsoft has identified a new cybersecurity threat targeting cryptocurrency users. The malware, named StilachiRAT, is a remote access trojan (RAT) that infiltrates digital wallet extensions in Google Chrome.
First detected in November 2024, StilachiRAT is designed to steal sensitive information, including credentials stored in browsers, crypto wallet data, and clipboard activity. It specifically targets 20 wallet extensions, such as MetaMask, Trust Wallet, and Coinbase Wallet.
The malware operates stealthily, employing advanced anti-forensic techniques to evade detection. It can clear event logs, detect sandbox environments, and delay its connection to command-and-control (C2) servers to avoid immediate identification. StilachiRAT also gathers extensive system information, including hardware identifiers and active Remote Desktop Protocol (RDP) sessions.
Microsoft’s analysis revealed that the malware exploits a DLL module named WWStartupCtrl64.dll to execute its capabilities. This includes extracting credentials saved in Chrome’s local state file and intercepting sensitive details like passwords and crypto keys from clipboard activity. Despite its advanced features, the malware has not yet been widely distributed.
The tech giant has not attributed StilachiRAT to any specific threat actor or region. However, it has emphasized the importance of sharing these findings to mitigate potential risks. Microsoft advises users to strengthen their security measures by using antivirus software, enabling real-time protection, and downloading software only from trusted sources.
The discovery of StilachiRAT highlights the growing sophistication of cyber threats targeting the crypto industry. Blockchain security firms have reported significant losses due to scams and hacks, with February alone witnessing $1.53 billion in damages.
Shogun Lin
