Researchers at Microsoft have uncovered a new remote access trojan (RAT) called StilachiRAT, which is specifically designed to steal cryptocurrency wallet information, credentials, and system data while ensuring continued access to compromised devices. This information was shared publicly on March 17.
The malware was initially detected in November 2024 and utilizes stealth tactics along with anti-forensic strategies to avoid detection.
Despite not yet linking StilachiRAT to any specific threat actor, security professionals caution that its features could represent a significant cybersecurity threat, particularly for individuals dealing with cryptocurrency.
Advanced Threat
StilachiRAT can scan and extract data from 20 different cryptocurrency wallet extensions used in Google Chrome, such as MetaMask, Trust Wallet, and Coinbase Wallet, giving attackers the ability to access stored funds.
In addition, the malware decrypts saved Chrome passwords, observes clipboard activity for sensitive financial information, and sets up remote command-and-control (C2) connections via TCP ports 53, 443, and 16000 to execute instructions on infected systems.
This RAT also tracks active Remote Desktop Protocol (RDP) sessions, impersonates users by replicating security tokens, and facilitates lateral movement within networks — posing a particularly serious risk in enterprise settings.
Persistence techniques involve altering Windows service configurations and launching monitoring threads to restore itself if uninstalled.
To evade detection, StilachiRAT clears system event logs, camouflages API calls, and postpones its initial connection to C2 servers for two hours. It also looks for analysis tools like tcpview.exe and halts operation if they are detected, complicating forensic investigations.
Prevention and Response
Users are advised to download software solely from official outlets, as threats like StilachiRAT can present themselves as genuine applications.
Furthermore, it is recommended to activate network protection in Microsoft Defender for Endpoint and to turn on Safe Links and Safe Attachments in Microsoft 365 to protect against phishing-driven malware distribution.
Microsoft Defender XDR has been enhanced to identify StilachiRAT activity. Security experts are encouraged to monitor network traffic for unusual connections, examine system changes, and track unauthorized service installations that could signal an infection.
Although widespread distribution of StilachiRAT has not yet been observed, there is a warning that threat actors often adapt their malware to circumvent security defenses. The company is actively tracking the threat and will continue to update the public through its Threat Intelligence Blog.