Microsoft uncovers new trojan targeting crypto wallet extensions on chrome
Microsoft researchers have identified a new remote access trojan (RAT) named StilachiRAT, designed to steal cryptocurrency wallet data, credentials, and system information while maintaining persistent access to compromised devices, the company disclosed on March 17.
The malware, first detected in November 2024, employs stealth techniques and anti-forensic measures to evade detection.
While Microsoft has not yet attributed StilachiRAT to a known threat actor, security experts warn that its capabilities could pose a significant cybersecurity risk, particularly to users handling crypto.
Sophisticated threat
StilachiRAT is capable of scanning for and extracting data from 20 different cryptocurrency wallet extensions in Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet, allowing attackers to access stored funds.
Additionally, the malware decrypts saved Chrome passwords, monitors clipboard activity for sensitive financial data, and establishes remote command-and-control (C2) connections via TCP ports 53, 443, and 16000 to execute commands on infected machines.
The RAT also monitors active Remote Desktop Protocol (RDP) sessions, impersonates users by duplicating security tokens, and enables lateral movement across networks — an especially dangerous feature for enterprise environments.
Persistence mechanisms include modifying Windows service settings and launching watchdog threads to reinstate itself if removed.
To further evade detection, StilachiRAT clears system event logs, disguises API calls, and delays its initial connection to C2 servers by two hours. It also searches for analysis tools such as tcpview.exe and halts execution if they are present, making forensic analysis more difficult.
Mitigation strategies and response
Microsoft advised users to download software only from official sources, as malware like StilachiRAT can masquerade as legitimate applications.
The company also recommended enabling network protection in Microsoft Defender for Endpoint and activating Safe Links and Safe Attachments in Microsoft 365 to guard against phishing-based malware distribution.
Microsoft Defender XDR has been updated to detect StilachiRAT activity. Security professionals are urged to monitor network traffic for unusual connections, inspect system modifications, and track unauthorized service installations that could indicate an infection.
While Microsoft has not observed widespread distribution of StilachiRAT, the company warned that threat actors frequently evolve their malware to bypass security measures. Microsoft said it is continuing to monitor the threat and will provide further updates through its Threat Intelligence Blog.
The post Microsoft uncovers new trojan targeting crypto wallet extensions on chrome appeared first on CryptoSlate.
