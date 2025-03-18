Microsoft has alerted users to a newly identified malware, StilachiRAT, which targets cryptocurrency wallets and collects sensitive browser information, including data from Google Chrome.

In an announcement, Microsoft described StilachiRAT as a remote access trojan (RAT) with advanced capabilities to evade detection and steal data.

The malware poses significant risks to cryptocurrency users by actively scanning for wallet extensions in Chrome, targeting at least 20 wallets such as MetaMask, Trust Wallet, Phantom, Coinbase, BNB Chain, and Bitget Wallet.

Once it identifies wallet extensions, StilachiRAT extracts credentials and configuration details, enabling attackers to drain funds from victims’ wallets.

Threat to Digital Asset Security

StilachiRAT also monitors clipboard activity, searching for cryptocurrency keys or passwords that users may have copied. This makes it a serious security threat for digital asset holders.

The malware grants attackers the ability to execute remote commands, clear logs, and manipulate registry settings to maintain persistent access. It uses anti-forensic techniques, including identifying analysis tools and delaying execution, to bypass security defenses.

One of StilachiRAT’s most concerning features is its capability for system reconnaissance. The malware collects detailed information about infected devices, such as operating system data, hardware identifiers, and active applications.

Additionally, it monitors Remote Desktop Protocol sessions, allowing attackers to impersonate users and spread laterally across networks.

Microsoft’s Recommendations

While the malware is not yet widespread, Microsoft has emphasized the importance of proactive defense. “Malware like StilachiRAT can be installed through multiple vectors; therefore, it is critical to implement security hardening measures to prevent the initial compromise,” the company warned.

To mitigate risks, Microsoft recommended several measures:

Download software only from official sources.

Enable Microsoft Defender real-time protection.

Turn on cloud-delivered security.

Utilize SmartScreen to block malicious websites.

What you should know

The crypto industry has long faced sophisticated malware and cyberattacks, with hackers continually refining their techniques to exploit vulnerabilities.

From wallet-draining trojans to phishing scams, the sector remains a prime target.

In one notable case, the $1.4 billion Bybit hack, the largest cryptocurrency theft to date, allegedly began with malware disguised as a fake stock investment platform.

StilachiRAT can launch various commands received from the C2 server. These commands include system reboot, log clearing, credential theft, executing applications, and manipulating system windows.

Additionally, it can suspend the system, modify Windows registry values, and enumerate open windows, indicating a versatile command set for both espionage and system manipulation. The C2 server’s command structure assigns specific numbers to what commands it will initiate

Last year, on-chain investigator Taylor Monahan highlighted an elaborate social engineering scam in which malware was distributed through fake job interviews, further underscoring the evolving tactics of cybercriminals targeting the crypto space.