Microsoft Uncovers StilachiRAT: A New Trojan Threatening Cryptocurrency Wallets on Google Chrome.

In an era where digital assets are increasingly mainstream, the security of cryptocurrency wallets has become a prime target for cybercriminals. On March 17, 2025, Microsoft announced the discovery of a sophisticated new remote access trojan (RAT) dubbed StilachiRAT. This malware poses a significant threat to cryptocurrency users by targeting wallet extensions in the Google Chrome browser. With the ability to attack at least 20 popular extensions—including MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Bitget Wallet, and Phantom—StilachiRAT is a wake-up call for anyone involved in the crypto space. In this blog, we’ll dive into what StilachiRAT is, how it operates, and the steps you can take to protect yourself from this emerging threat.

What is StilachiRAT?

StilachiRAT is a remote access trojan first identified by Microsoft’s Incident Response Team in November 2024. Unlike typical malware that might simply disrupt a system, a RAT like StilachiRAT is designed to infiltrate devices, steal sensitive data, and maintain persistent access—all while evading detection. What makes StilachiRAT particularly alarming is its focus on cryptocurrency wallets, a lucrative target given the high value and irreversible nature of crypto transactions.

The trojan specifically targets Google Chrome, one of the most widely used browsers globally, by scanning for and extracting data from 20 different cryptocurrency wallet extensions. These include some of the most popular wallets in the ecosystem: MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Bitget Wallet, Phantom, and others like TronLink, TokenPocket, and BNB Chain Wallet. Once installed, StilachiRAT can steal private keys, credentials, and other sensitive information, potentially draining a user’s digital assets in moments.

How Does StilachiRAT Work?

StilachiRAT’s sophistication lies in its multi-faceted approach to theft and evasion. According to Microsoft, the malware employs several advanced techniques:

1. Credential Theft: It extracts usernames, passwords, and other credentials stored in Chrome, leveraging Windows APIs to decrypt this data from the browser’s local state file.
2. Wallet Data Extraction: The trojan scans a device for the presence of specific wallet extensions and siphons configuration data, including private keys and seed phrases, which grant attackers full access to a user’s funds.
3. Clipboard Monitoring: StilachiRAT watches the clipboard for copied content, such as wallet addresses or passwords, redirecting this information to attackers. This is particularly dangerous for users who copy and paste sensitive data during transactions.
4. System Reconnaissance: Beyond wallets, it collects extensive system information—hardware identifiers, BIOS serial numbers, camera presence, and active Remote Desktop Protocol (RDP) sessions—building a detailed profile of the infected device.
5. Evasion Tactics: The malware clears event logs to erase its tracks, delays connections to command-and-control (C2) servers by up to two hours, and checks for sandbox environments or forensic tools to avoid detection by security researchers.

StilachiRAT can operate as a standalone program or a Windows service, using watchdog threads to ensure its persistence. If its files are deleted, it recreates them from an internal copy, making it exceptionally difficult to remove without specialized tools.

The Scope of the Threat

While Microsoft has not yet attributed StilachiRAT to a specific threat actor or country, its capabilities suggest a high level of sophistication. The malware’s focus on 20 wallet extensions indicates a targeted approach, likely aimed at both individual crypto enthusiasts and larger players in the ecosystem. Popular wallets like MetaMask (used widely for Ethereum-based transactions), Coinbase Wallet (a gateway to decentralized finance), and Trust Wallet (Binance’s official wallet) serve millions of users, amplifying the potential impact.

Fortunately, Microsoft notes that StilachiRAT is not yet widespread. However, its stealthy nature and the evolving tactics of cybercriminals mean that its reach could grow rapidly if not addressed. The cryptocurrency space has long been a hotspot for malware—think of past threats like clipboard hijackers or phishing campaigns—but StilachiRAT’s ability to combine wallet theft with anti-forensic measures marks it as a formidable new contender.

Protecting Yourself from StilachiRAT

The discovery of StilachiRAT underscores the importance of proactive security in the crypto world. Here are actionable steps you can take to safeguard your digital assets:

• Never Copy/Paste Private Keys: Private keys and seed phrases are the keys to your crypto kingdom. Avoid copying them to your clipboard, as StilachiRAT can intercept this data. Instead, write them down physically or use secure methods to transfer them when absolutely necessary.

• Avoid Random Links and Untrusted Software: StilachiRAT’s delivery method isn’t fully clear, but many RATs spread through phishing links, malicious downloads, or fake software updates. Be cautious about what you click—stick to official websites and verified sources for all downloads.

• Watch for Suspicious Prompts: Be on guard for unexpected pop-ups, permissions requests, or browser prompts that seem out of place. These could be attempts by malware to gain access to your system or extensions.

• Keep Your System and Browser Updated: Regularly update your operating system (Windows, macOS, etc.) and Google Chrome to patch vulnerabilities that malware like StilachiRAT might exploit. Outdated software is a common entry point for attackers.

• Use a Password Manager: Storing passwords in plain text or in your browser is risky, especially with StilachiRAT’s ability to extract browser credentials. Tools like 1Password or LastPass encrypt your passwords and keep them out of reach of such threats.

• Opt for Hardware Wallets: For maximum security, consider moving your crypto to a hardware wallet like a Ledger or Trezor. These devices store your private keys offline, making them immune to browser-based attacks like StilachiRAT.

• Leverage Microsoft Defender and Additional Antivirus: Ensure Microsoft Defender—Windows’ built-in security tool—is up to date and running in real-time protection mode. For added safety, install and regularly scan with a reputable third-party antivirus program to catch threats that might slip through.

The Bigger Picture: Crypto Security in 2025

StilachiRAT’s emergence reflects a broader trend: as cryptocurrency adoption grows, so does the sophistication of cyber threats targeting it. The decentralized, pseudonymous nature of blockchain technology makes it an attractive target—once funds are stolen, they’re often gone for good. Microsoft’s disclosure is a proactive step to alert users and mitigate the trojan’s impact before it scales, but it also highlights the need for constant vigilance.

For Chrome users, this threat is a reminder that browser extensions, while convenient, can be a weak link. Wallet extensions integrate seamlessly with decentralized apps (dApps) and exchanges, but they also expose sensitive data to potential exploits. Balancing usability and security will remain a challenge as the crypto ecosystem evolves.

What’s Next?

Microsoft continues to investigate StilachiRAT, and further details—such as its origin or infection vectors—may emerge in the coming weeks. In the meantime, the company urges users to adopt “security hardening measures” to prevent initial compromise. This includes enabling features like SmartScreen (to block malicious sites) and being cautious about software sources.

For crypto holders, the message is clear: don’t wait for a breach to act. StilachiRAT may not be rampant yet, but its capabilities signal a new wave of threats that could catch the unprepared off guard. By following the steps outlined above, you can significantly reduce your risk and keep your digital assets secure.

TakeAway

The discovery of StilachiRAT by Microsoft is a stark reminder of the cat-and-mouse game between cybersecurity experts and cybercriminals. Targeting 20 cryptocurrency wallet extensions in Google Chrome, this trojan combines stealth, persistence, and precision to threaten users’ financial security. While it’s not yet a mass-scale problem, its potential to disrupt the crypto community is undeniable.

By staying informed and implementing robust security practices—avoiding risky behaviors, updating your tools, and using hardware wallets—you can protect yourself from StilachiRAT and similar threats. As we move deeper into 2025, the stakes in the crypto world are higher than ever. Stay vigilant, and keep your assets safe.

Thank you for reading.