Microsoft has identified a new remote access trojan (RAT) designed to steal cryptocurrency from users by targeting digital wallet extensions on Google Chrome.
The malware, dubbed StilachiRAT, has been under investigation since November 2024, and security experts warn it poses a significant threat to crypto holders.
How StilachiRAT Operates
According to Microsoft’s Incident Response Team, StilachiRAT is capable of extracting credentials stored in the browser, scanning devices for crypto wallet extensions, and intercepting sensitive information such as private keys and passwords.
The malware has been found to specifically target at least 20 cryptocurrency wallets, including Bitget Wallet (formerly BitKeep), Trust Wallet, Coinbase Wallet, MetaMask, TronLink and OKX Wallet. Once deployed, it can steal stored digital assets by accessing clipboard data and extracting private credentials.
Microsoft’s research indicates that StilachiRAT operates stealthily, using various evasion techniques to avoid detection. The malware installs itself through a compromised library file, WWStartupCtrl64.dll, which executes remote commands to manipulate infected systems.
Once active, it scans the device for crypto wallet extensions and extracts saved credentials from Google Chrome’s local state files. A key feature of the malware is its ability to monitor clipboard activity, meaning if users copy and paste crypto wallet addresses or passwords, StilachiRAT can capture and redirect that information to the attacker.
Microsoft also found that the trojan includes anti-forensic capabilities, such as clearing event logs and detecting sandbox environments to avoid being analyzed by cybersecurity researchers.
Microsoft’s Response and Security Recommendations
At present, Microsoft has not attributed the attack to any specific hacker group but has warned that due to the nature of the malware ecosystem, StilachiRAT could evolve rapidly. In a blog post, the company stated:
Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time. However, due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape.
Microsoft advises users to take precautionary measures to avoid falling victim to StilachiRAT and similar threats. The company recommends installing antivirus software, enabling cloud-based anti-phishing and anti-malware protection, and ensuring all browser extensions come from trusted sources.
Users should also be cautious when copying and pasting wallet addresses and passwords, as malware like StilachiRAT specifically exploits clipboard data.
With increasing security risks in the crypto space, Microsoft’s warning highlights the importance of staying vigilant against cyber threats. As hackers develop more advanced techniques to compromise digital wallets, investors and everyday users must take proactive steps to secure their assets.
Featured image created with DALL-E, Chart from TradingView
