Microsoft uncovers New Crypto-Stealing Malware Targeting Digital Wallets

Staff Writer

Mar. 19, 2025

In a recent cybersecurity alert, Microsoft's Incident Response Team has identified a sophisticated remote access trojan (RAT) named StilachiRAT, specifically engineered to target cryptocurrency wallet extensions within the Google Chrome browser. First detected in November 2024, this malware poses significant risks to users by extracting sensitive information, including credentials and digital wallet data.

StilachiRAT, a remote access trojan (RAT), allows cybercriminals to infiltrate and target crypto wallets. (Image Source: Shutterstock)

StilachiRAT exhibits a range of functionalities that enable cybercriminals to infiltrate and exploit compromised systems. It can retrieve credentials stored in the Google Chrome local state file, granting attackers unauthorized access to various accounts. The malware actively monitors clipboard activity to capture sensitive information such as passwords and cryptocurrency keys, which are often copied and pasted by users during transactions. It also collects comprehensive system data, including hardware identifiers, presence of cameras, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications, allowing attackers to profile and prioritize targets.

To ensure continued operation, StilachiRAT uses watchdog threads that monitor its binaries, automatically reinstalling components if they are terminated or removed. Additionally, its advanced anti-forensic features enable it to clear event logs and detect sandbox environments, hindering analysis and detection efforts by security professionals.

Targeted Cryptocurrency Wallet Extensions

Upon deployment, StilachiRAT scans the compromised system to identify the presence of any of 20 specific cryptocurrency wallet extensions installed in the Chrome browser. Notable targets include:

Coinbase Wallet: A widely used wallet for storing and managing various cryptocurrencies.
Trust Wallet: A versatile wallet supporting multiple cryptocurrencies and tokens.
MetaMask: A popular Ethereum wallet that also serves as a gateway to decentralized applications.
OKX Wallet: A wallet associated with the OKX cryptocurrency exchange, offering storage and trading functionalities.

By targeting these extensions, attackers aim to access and drain funds from victims' cryptocurrency wallets.

To mitigate StilachiRAT and similar threats, users should deploy reputable security solutions. (Image: Shutterstock)

Current Distribution and Attribution

As of now, StilachiRAT has not been widely distributed. Microsoft has refrained from attributing the malware to any specific threat actor or group, citing limited visibility into its deployment. The company emphasizes that, despite its current limited spread, the malware's sophisticated capabilities warrant public disclosure to preempt potential threats and enhance community awareness.

To mitigate the risks associated with StilachiRAT and similar threats, users are advised to implement several security measures. Installing reputable security software is crucial, as comprehensive antivirus solutions provide real-time protection against malware and phishing attempts. Enabling cloud-based protections can further enhance security by leveraging up-to-date threat intelligence and anti-phishing measures.

Users should also exercise caution when downloading software or opening email attachments from untrusted or unknown sources, as these can serve as entry points for malware. Keeping all software updated, including browsers and extensions, is essential to patch vulnerabilities that cybercriminals could exploit. By following these precautions, users can significantly reduce the risk of infection and protect their digital assets.

Broader Implications and Trends

The emergence of StilachiRAT underscores a growing trend in cyber threats targeting the cryptocurrency sector. The substantial value associated with digital assets makes them attractive targets for cybercriminals employing advanced tactics. This incident highlights the need for continuous vigilance and proactive security measures within the cryptocurrency community.

In February 2025 alone, losses from crypto scams, exploits, and hacks totaled nearly $1.53 billion, with a significant portion attributed to major exchange breaches. Additionally, blockchain analytics firms have reported that crypto-related crime has entered a professionalized era, characterized by AI-driven scams, stablecoin laundering, and efficient cyber syndicates, culminating in $51 billion in illicit transaction volume over the past year.

The discovery of StilachiRAT serves as a critical reminder of the evolving threats facing cryptocurrency users. As cybercriminals develop more sophisticated methods to exploit vulnerabilities, it is imperative for individuals and organizations to adopt robust security practices. By staying informed and implementing recommended safeguards, users can better protect their digital assets against emerging threats.