Microsoft Discovers StilachiRAT Malware, a New Threat to Crypto Users

Microsoft has recently identified a new remote access trojan (RAT) named StilachiRAT, designed to steal cryptocurrency wallet data, login credentials, and system information.

According to Microsoft’s official statement on Monday (March 17, 2025), StilachiRAT was first detected in November 2024 and employs stealth techniques and anti-forensic strategies to evade detection. So far, Microsoft has not linked this malware to any specific hacker group, but cybersecurity experts warn that StilachiRAT poses a significant risk, especially for users in the crypto ecosystem.

Targeting Crypto Wallets and Login Credentials

StilachiRAT is capable of stealing data from over 20 cryptocurrency wallet extensions on Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet. With this access, hackers can gain control over victims’ crypto funds.

Additionally, the malware can decrypt saved passwords in Chrome, allowing attackers to log into accounts without requiring re-entry of credentials. StilachiRAT also monitors clipboard activity, searching for sensitive financial data such as crypto wallet addresses or banking information.

Even more concerning, StilachiRAT enables remote control over infected devices. The malware communicates through TCP ports 53, 443, and 16000, allowing attackers to send direct commands via a command-and-control (C2) server. This poses an even greater threat in corporate environments, where the malware can monitor Remote Desktop Protocol (RDP) sessions, duplicate security tokens, and spread laterally within internal networks to infect additional devices.

Advanced Evasion Techniques

One of StilachiRAT’s most dangerous features is its ability to persist within the system even after detection and removal. It employs various persistence techniques, such as modifying Windows service settings to remain active after a restart and launching watchdog threads that reinstall the malware if removed.

To hinder forensic investigations, StilachiRAT deletes system logs to erase traces of its activity, disguises API calls to bypass security software detection, and delays its connection to the C2 server for two hours to avoid immediate detection after infection. If the malware detects security analysis tools like tcpview.exe, it automatically terminates its execution, making investigation even more difficult.

Microsoft’s Mitigation Strategies

To combat this threat, Microsoft recommends several mitigation measures, including:

• Downloading software only from official sources, as malware often disguises itself as legitimate applications.
• Enabling network protection in Microsoft Defender for Endpoint, to detect and block malicious communications associated with StilachiRAT.
• Activating Safe Links and Safe Attachments in Microsoft 365, to prevent malware distribution through phishing attacks.

Additionally, cybersecurity teams across organizations are advised to closely monitor network traffic and check for any suspicious system modifications. Microsoft has also updated Defender XDR to detect StilachiRAT activity and emphasized the importance of monitoring unusual network connections.

While StilachiRAT has not yet been detected on a large scale, Microsoft warns that this threat could continue evolving, as hackers refine their techniques to bypass security systems. The company assured that it will actively monitor this threat and provide updates via its Threat Intelligence Blog.