What is StilachiRAT malware?
In November 2024, Microsoft Incident Response researchers uncovered a remote access Trojan (RAT) called StilachiRAT. This discovery highlights the evolving nature of cyber threats, with the malware combining multiple malicious functions into a single tool for maximum impact.
Designed to evade detection and exfiltrate sensitive data, StilachiRAT steals credentials and extracts and decrypts usernames and passwords stored in Google Chrome. It performs extensive system reconnaissance, collecting details such as operating system information, BIOS (Basic Input/Output System) serial numbers, camera presence and active remote desktop protocol (RDP) sessions.
With a focus on stealing cryptocurrencies, StilachiRAT scans for up to 20 crypto wallet extensions within Chrome, including those from Coinbase, Fractal, Phantom, Manta and Bitget. It also monitors clipboard activity and running applications, specifically looking for sensitive information like passwords and private keys.
Although Microsoft has yet to attribute StilachiRAT to a specific threat actor or region, current observations indicate that it is not yet widely distributed as of March 2025. However, its advanced capabilities make it a significant cybersecurity concern.
Did you know? In November 2024, Microsoft Threat Intelligence found a North Korean hacking group called “Sapphire Sleet” involved in cryptocurrency theft and corporate espionage.
How hackers trick users into installing StilachiRAT
Hackers employ various deceptive tactics to trick users into installing malware like StilachiRAT using multiple vectors.
Such tactics include:
- Phishing emails: Attackers have been using phishing emails to trick recipients into opening malicious attachments or clicking on harmful links, leading to RAT malware installation. For instance, in November 2024, scamsters sent phishing emails targeting self-hosted help desk software for the delivery of AsyncRat, PureLog Stealer and XWorm RATs.
- Fake browser extensions: Cybercriminals develop counterfeit browser extensions that mimic popular ones. When users install these malicious extensions, they unknowingly introduce malware like StilachiRAT into their systems.
- Malicious downloads: Users may inadvertently download StilachiRAT by accessing compromised websites or downloading software from untrustworthy sources. These downloads can be bundled with malicious code that executes upon installation.
- Exploit kits: Attackers utilize exploit kits to target software vulnerabilities, delivering RATs like StilachiRAT without user interaction. Exploit kits enable hackers to automatically manage and deploy exploits against a target computer.
- Brute-force RDP attacks: Cybercriminals attempt to gain unauthorized access by systematically guessing remote desktop protocol (RDP) credentials, allowing them to install malware remotely.
- USB droppers: Attackers distribute infected USB drives that automatically install malware when connected to a system.
- Drive-by downloads: Visiting compromised or malicious websites can result in automatic malware downloads without the user’s knowledge.
- Fake applications and social media links: Scammers may disguise StilachiRAT as legitimate applications or share them through deceptive links on social media platforms, tricking users into installation.
Did you know? In cybersecurity, the term “zero-day vulnerability” is an unknown security flaw in software or hardware. Because the developer is unaware of it, no patch or preventative measures are available to address it.
How does StilachiRAT steal crypto wallet data?
Designed to bypass traditional security measures, StilachiRAT functions in multiple layers. Understanding its methods, from initial infection to data extraction, is crucial for protecting your digital assets from this potentially devastating threat.
Targeting specific digital wallets
StilachiRAT focuses on a set of designated cryptocurrency wallet extensions for the Google Chrome browser. It accesses the configurations in the following registry key and checks if any extensions are present.
\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings
StilachiRAT specifically targets the following cryptocurrency wallet extensions:
Stealing credentials
StilachiRAT obtains Google Chrome’s encryption key from the local state file within the user’s directory. Nevertheless, as this key is initially encrypted when Chrome is installed, the malware uses Windows APIs to decrypt it based on the current user’s context. This enables it to access saved credentials stored in Chrome’s password vault. Extracted credentials originate from the following locations:
- %LOCALAPPDATA%\Google\Chrome\User Data\Local State, which holds Chrome’s…
cointelegraph.com