![Microsoft Logo]()
Microsoft has identified a new remote access trojan (RAT) designed to target cryptocurrency assets stored in 20 different wallet extensions for the Google Chrome browser.
In a blog post published on March 17, Microsoft’s Incident Response Team revealed that the malware—dubbed StilachiRAT—was initially detected in November. This malicious software is capable of stealing sensitive data, including browser-stored credentials, digital wallet details, and information copied to the clipboard.
Once deployed, attackers can use StilachiRAT to harvest crypto wallet data by searching for configuration files associated with 20 popular crypto wallet extensions, such as Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet.
![]()
Source: Microsoft
Microsoft explained, “Our analysis of StilachiRAT’s WWStartupCtrl64.dll module, which houses its RAT functions, uncovered a range of techniques it uses to exfiltrate data from compromised systems.”
In addition to its ability to extract saved credentials from Chrome’s local state file, the malware can also monitor clipboard activity to intercept sensitive data like passwords and cryptocurrency keys.
![]()
Source: Web3Universe
Microsoft's findings indicate that StilachiRAT utilizes advanced evasion techniques, making it particularly dangerous. While the malware's distribution is not yet considered widespread, its stealth capabilities necessitate heightened vigilance.
To mitigate the risks associated with this threat, Microsoft recommends implementing robust security hardening measures. Users are advised to exercise caution when downloading software, particularly from untrusted sources, and to maintain up-to-date security software. Furthermore, it is important to be aware of the dangers of malicious browser extensions.