Microsoft has identified a new remote access trojan (RAT), dubbed StilachiRAT, which specifically targets cryptocurrency wallets held in 20 popular browser extensions for Google Chrome. Discovered by Microsoft’s Incident Response Team, the malware poses a significant risk to users of wallets such as Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet.
In a blog post published on March 17, Microsoft revealed that the malware was first detected in November 2024. StilachiRAT is capable of stealing sensitive data, including credentials stored in Chrome, digital wallet details, and clipboard contents.
How StilachiRAT Steals Crypto Wallet Data
Once deployed, StilachiRAT scans device settings to detect the presence of crypto wallet extensions. If any of the 20 targeted wallets are found, the malware activates various tools designed to siphon valuable data.
Microsoft highlighted that the WWStartupCtrl64.dll module within StilachiRAT enables these malicious actions. The malware extracts login credentials from Chrome’s local state files and monitors clipboard activity for crypto wallet keys and passwords. Additionally, it uses advanced evasion techniques to bypass detection, including clearing event logs and identifying sandbox environments to thwart analysis attempts.
No Known Threat Actor Behind Attack Yet
While Microsoft has yet to attribute the malware to a specific threat actor, it emphasized the importance of public awareness to mitigate potential infections. “Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time,” the company noted. However, it cautioned that due to the trojan’s stealth features and the rapidly evolving malware landscape, sharing this information is crucial for protecting users.
Microsoft’s Recommendations for Protection
To defend against threats like StilachiRAT, Microsoft advises users to ensure their devices are equipped with robust antivirus solutions along with cloud-based anti-phishing and anti-malware tools. Staying vigilant and keeping software updated are key steps in minimizing the risk of crypto-related cyberattacks.
