StilachiRAT: Microsoft sounds alarm on stealthy malware targeting crypto wallets and credentials
By willowt // 2025-03-20
Copy
 
  • Microsoft uncovered a sophisticated remote access trojan (RAT) named StilachiRAT, designed to steal sensitive data, including credentials and cryptocurrency wallet information. It targets 20 popular Chrome wallet extensions like MetaMask and Coinbase Wallet.
  • StilachiRAT uses a DLL module ("WWStartupCtrl64.dll") to steal Chrome credentials, monitor clipboard activity and extract data from targeted crypto wallets. It also gathers system information and employs advanced evasion techniques, such as clearing event logs and detecting sandbox environments.
  • The malware highlights the increasing sophistication of crypto-related cybercrime, with illicit transactions reaching $51 billion in 2025. StilachiRAT exemplifies the evolving threat landscape, targeting wallet extensions and siphoning digital assets.
  • Microsoft advises robust cybersecurity measures, including antivirus software, cloud-based anti-malware tools and regular system updates. Crypto users are urged to avoid browser-based wallets, use hardware wallets and refrain from copying sensitive information like private keys.
  • StilachiRAT is part of a larger trend of advanced malware targeting the crypto industry. Microsoft emphasizes the importance of vigilance and proactive defenses as cybercriminals continue to innovate and escalate their tactics.
In a stark warning to cryptocurrency users and organizations, Microsoft has uncovered a sophisticated remote access trojan (RAT) dubbed StilachiRAT, designed to steal sensitive data, including credentials and cryptocurrency wallet information. The malware, first detected in November 2024, targets 20 popular cryptocurrency wallet extensions for Google Chrome, such as MetaMask, Coinbase Wallet and Trust Wallet. Microsoft’s Incident Response Team revealed the discovery in a March 17 blog post, emphasizing the malware’s advanced evasion techniques and potential to cause significant financial harm. The disclosure comes amid a surge in crypto-related cybercrime, with losses from scams, exploits and hacks reaching nearly $1.53 billion in February 2025 alone, according to blockchain security firm CertiK. As the crypto ecosystem grows, so too does the sophistication of cybercriminals, with StilachiRAT exemplifying the evolving threat landscape.

How StilachiRAT operates

StilachiRAT is no ordinary malware. Its capabilities extend far beyond simple data theft. According to Microsoft, the malware’s core functionality resides in a DLL module named "WWStartupCtrl64.dll," which enables it to steal credentials stored in Google Chrome, monitor clipboard activity for sensitive information like passwords and crypto keys, and extract data from 20 targeted cryptocurrency wallet extensions. “Analysis of the StilachiRAT’s WWStartupCtrl64.dll module revealed the use of various methods to steal information from the target system,” Microsoft said. The malware can also gather extensive system information, including hardware identifiers, active Remote Desktop Protocol (RDP) sessions and running applications. One of StilachiRAT’s most concerning features is its ability to evade detection. The malware clears event logs and checks for signs it’s running in a sandbox environment, a common tool used by cybersecurity researchers to analyze malicious software. This anti-forensic behavior makes it particularly difficult to detect and analyze.

A growing threat to crypto users

The rise of StilachiRAT underscores the increasing professionalization of crypto-related cybercrime. Blockchain analytics firm Chainalysis reported in its 2025 Crypto Crime Report that illicit transaction volume reached $51 billion in the past year, driven by AI-driven scams, stablecoin laundering and efficient cyber syndicates. StilachiRAT’s ability to target cryptocurrency wallets is particularly alarming. The malware scans devices for the presence of 20 specific wallet extensions, including MetaMask, Trust Wallet and OKX Wallet. Once installed, it can siphon off digital assets by extracting wallet data and monitoring clipboard activity for crypto keys. Microsoft has not yet attributed StilachiRAT to any specific threat actor or geographic region, and its distribution appears to be limited for now. However, the tech giant warns that the malware’s stealth capabilities and versatility make it a significant threat. “Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time,” the company said. “However, due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze and report on the evolving threat landscape.”

Protecting against StilachiRAT and similar threats

To mitigate the risk of falling victim to StilachiRAT and similar malware, Microsoft recommends implementing robust cybersecurity measures. These include using antivirus software, cloud-based anti-phishing and anti-malware components, and regularly updating systems to patch vulnerabilities. For cryptocurrency users, additional precautions are essential. Experts advise against storing large amounts of crypto in browser-based wallets, opting instead for hardware wallets that are less susceptible to remote attacks. Users should also avoid copying and pasting sensitive information like private keys, as StilachiRAT actively monitors clipboard activity.

A broader trend in cybercrime

StilachiRAT is part of a broader trend of increasingly sophisticated malware targeting cryptocurrency users. Earlier this year, Palo Alto Networks Unit 42 detailed three unusual malware samples, including a passive Internet Information Services (IIS) backdoor and a bootkit that installs a GRUB 2 bootloader. These discoveries highlight the growing creativity and technical prowess of cybercriminals. As the crypto industry continues to expand, so too will the threats it faces. Microsoft’s disclosure of StilachiRAT serves as a timely reminder of the importance of vigilance and proactive cybersecurity measures. For now, the battle against cybercrime remains a cat-and-mouse game, with attackers constantly innovating and defenders racing to keep up. In the words of Microsoft’s Incident Response Team, “We are sharing these findings as part of our ongoing efforts to monitor, analyze and report on the evolving threat landscape.” For cryptocurrency users and organizations alike, staying informed and prepared is the best defense against the next StilachiRAT. Sources include: CoinTelegraph.com TheRecord.com TheHackerNews.com
Copy