Microsoft has recently flagged a new malware threat known as StilachiRAT, a remote access trojan (RAT) that targets cryptocurrency wallets, particularly those integrated as extensions in the Google Chrome browser. First identified by Microsoft’s Incident Response Team in November 2024, this malware is designed to steal sensitive information, including credentials stored in the browser, digital wallet data, and clipboard contents. It specifically targets 20 popular cryptocurrency wallet extensions, such as MetaMask, Coinbase Wallet, Trust Wallet, Phantom, and OKX Wallet, among others.
StilachiRAT operates stealthily, employing sophisticated techniques to evade detection. It can scan a device for the presence of these wallet extensions, extract and decrypt saved credentials and monitor clipboard activity to capture sensitive data like passwords and cryptocurrency keys. The malware also features anti-forensic capabilities, such as clearing event logs and checking for sandbox environments to avoid analysis, making it harder to detect and study. Once deployed, it communicates with a remote server to exfiltrate stolen data and can receive commands to further manipulate the infected system.
While Microsoft notes that StilachiRAT is not yet widely distributed, its stealth and adaptability pose a significant risk, especially given the rapid evolution of the malware ecosystem. The company has not identified the group or individuals behind this threat but is sharing the information to raise awareness and reduce potential victims. To protect against this and similar threats, Microsoft recommends using up-to-date antivirus software, enabling cloud-based anti-phishing and anti-malware protections, and exercising caution with browser extensions and clipboard usage, especially when handling wallet addresses or private keys.
Register for Tekedia Mini-MBA edition 17 (June 9 – Sept 6, 2025) today for early bird discounts. Do annual for access to Blucera.com.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register to become a better CEO or Director with Tekedia CEO & Director Program.
While the exact initial infection vector isn’t fully detailed, StilachiRAT is likely distributed through common malware delivery methods such as phishing emails, malicious downloads, or compromised websites. Given its focus on browser extensions, it might exploit social engineering to trick users into installing it or leverage vulnerabilities in Chrome. Once on a system, it establishes persistence to ensure it remains active even after a reboot, though specific registry or startup modifications aren’t specified, this is a typical RAT behavior.
StilachiRAT specifically targets 20 popular cryptocurrency wallet extensions in Google Chrome, including MetaMask, Coinbase Wallet, Trust Wallet, Phantom, and OKX Wallet. It scans the system to detect the presence of these extensions. It extracts and decrypts credentials stored within these extensions, such as login details or session tokens, which users often save for convenience. This involves accessing Chrome’s local storage where extension data is kept (e.g., the encrypted password database).
The malware monitors the clipboard in real-time, capturing sensitive data like wallet addresses, private keys, or seed phrases when users copy and paste them during transactions. This is particularly dangerous as it doesn’t rely on direct extension compromise but exploits user behavior. StilachiRAT clears event logs on the infected system, erasing traces of its activities that could alert users or investigators. This makes forensic analysis more challenging.
It checks for signs of sandbox environments or virtual machines commonly used by security researchers to analyze malware. If detected, it may alter its behavior or shut down to avoid being studied. By not spreading widely, it reduces its visibility to antivirus vendors and threat intelligence systems, allowing it to operate under the radar during its early stages. The malware establishes a connection to a remote server controlled by the attackers. It sends stolen data—credentials, wallet keys, and clipboard contents—to this server for further exploitation.
StilachiRAT can receive commands from the C2 server, enabling attackers to update its functionality, deploy additional payloads, or manipulate the infected system further (e.g., taking screenshots, logging keystrokes, or escalating privileges). It has the ability to decrypt data stored by Chrome extensions, likely by leveraging the same encryption keys Chrome uses (stored in the user’s profile and protected by the operating system’s credential manager). This requires a deep understanding of browser internals.
As a RAT, it’s likely built modularly, allowing attackers to adapt its capabilities over time, adding new features or refining its evasion tactics based on detection trends. Imagine a user with MetaMask installed who copies a wallet address to send cryptocurrency. StilachiRAT, already running silently, detects MetaMask, decrypts any saved login credentials, grabs the clipboard data (the address), and sends it all to the attacker’s server. Meanwhile, it wipes logs and checks if it’s being analyzed, ensuring it stays hidden.
If the attacker wants, they can then instruct it to steal more data or even lock the system. This combination of targeted theft, stealth, and adaptability makes StilachiRAT a potent threat, especially for crypto users who rely heavily on browser-based wallets. Microsoft’s advice—keeping antivirus updated, using cloud protections, and being cautious with extensions—aims to disrupt these techniques at various stages.