TLDR
- Microsoft discovered StilachiRAT, a new remote access trojan targeting cryptocurrency wallets and credentials
- The malware targets 20 different crypto wallet extensions in Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet
- StilachiRAT can steal browser credentials, monitor clipboard content, and evade detection using anti-forensic techniques
- The malware communicates with command-and-control servers to exfiltrate data and execute commands
- Microsoft has not attributed StilachiRAT to any specific threat actor and reports it does not yet have widespread distribution
A new type of malware called StilachiRAT has been found by Microsoft. This remote access trojan can steal information from crypto wallets and browsers. Microsoft’s team found it in November 2024.
StilachiRAT is designed to steal data from computers. It can take passwords saved in browsers and information from digital wallets. The malware can also copy data from the clipboard and gather system details.
Microsoft found the malware last year. The dangerous code is in a file called “WWStartupCtrl64.dll.” Right now, experts don’t know which hackers created this malware or which country they’re from.
It’s not clear how victims get infected with StilachiRAT. Microsoft notes that trojans like this can get on computers in many ways. This makes it important for companies to have good security measures in place.
The malware collects a lot of information about the infected computer. It gathers details about the operating system, hardware IDs like BIOS serial numbers, and information about cameras. It also checks for active Remote Desktop connections and running applications.
StilachiRAT uses technical methods to gather this information. It collects data through something called Component Object Model interfaces using WMI Query Language.
Crypto Wallets in Google Chrome
The trojan targets crypto wallet extensions in Google Chrome. It looks for 20 different wallet extensions including popular ones like Bitget Wallet, Trust Wallet, TronLink, and MetaMask. It also targets Coinbase Wallet and OKX Wallet.
The malware gets into Chrome’s stored passwords. It regularly copies clipboard content looking for passwords and wallet information. It also watches Remote Desktop sessions and sends the collected data to a server controlled by hackers.
The hackers can send commands to infected computers. StilachiRAT supports 10 different types of commands. These include showing dialog boxes, clearing event logs, and shutting down the system.
Other commands let hackers control network connections. They can make new connections, accept incoming connections, or stop existing ones. The malware can also launch applications and look for specific windows on the desktop.
Hiding it’s Tracks
Microsoft warns that StilachiRAT tries to hide its tracks. It clears event logs and checks for analysis tools. It also has features to avoid detection in virtual environments that security researchers often use.
The malware has two server addresses it uses for communication. These are “app.95560.cc” and “194.195.89.47.” It uses TCP ports 53, 443, or 16000 chosen randomly for these connections.
StilachiRAT has ways to stay on infected computers. It can run as a Windows service or a standalone program. In both cases, it makes sure it doesn’t get removed easily.
A monitoring thread checks for the malware files. If they get deleted, the files can be recreated from an internal copy saved during setup. The Windows service component can also be recreated by changing registry settings.
The trojan watches Remote Desktop sessions. It captures information about active windows and can take over user identities. This is especially dangerous on servers with administrator sessions as it could help hackers move through networks.
StilachiRAT keeps track of what users are doing. It monitors active windows, their titles, and file locations. This information gets sent to the hackers’ server, letting them watch user behavior.
The malware constantly checks clipboard data. It looks for passwords, cryptocurrency keys, and personal information. It uses specific search patterns to find cryptocurrency credentials, especially those related to the Tron blockchain.
Who Created it?
Microsoft says it doesn’t know who created StilachiRAT. The company says the malware isn’t widely spread right now. But because of how sneaky it is and how quickly malware changes, Microsoft is sharing this information to help protect users.
To stay safe from this type of malware, Microsoft recommends several steps. Users should only download software from official websites. They should use browsers with protection features like Microsoft Edge with SmartScreen.
Organizations with Microsoft 365 should turn on Safe Links and Safe Attachments. These features protect against malicious links and attachments in emails. Companies should also use network protection in Microsoft Defender to block dangerous websites.
Microsoft Defender can detect StilachiRAT as “TrojanSpy:Win64/Stilachi.A.” The security software can also alert users about suspicious activities that might indicate this threat.
The discovery comes as crypto crimes continue to be a problem. According to blockchain security firm CertiK, losses to crypto scams, hacks, and exploits reached nearly $1.53 billion in February 2025 alone.
Chainalysis reported in its 2025 Crypto Crime Report that the crypto crime landscape has become more professional. It now features AI-driven scams, stablecoin laundering, and efficient cybercriminal groups, with about $51 billion in illegal transactions in the past year.
