Microsoft Issues Alert on Remote Access Trojan Attacking Crypto Wallets

On March 17, Microsoft’s Incident Response Team reported the discovery of a new remote access trojan (RAT) designed to steal cryptocurrency-related data. This malware specifically scans for configuration files from 20 different crypto wallet extensions used in the Google Chrome browser. Doing this can extract vital details that help attackers gain access to digital assets.

Key Capabilities of RAT Malware

In a detailed blog post, the Microsoft team explained that the RAT malware known as StilachiRAT was first discovered in November 2024 and employs advanced methods to avoid detection.

Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. https://t.co/MJARVBz2zd

— Microsoft Threat Intelligence (@MsftSecIntel) March 17, 2025

Among the targeted crypto wallet extensions are Bitget Wallet (formerly Bitkeep), Trust Wallet, TronLink, MetaMask (Ethereum), BNB Chain Wallet, OKX Wallet, TokenPocket, and many others. These widely used wallets store critical financial data, making them valuable targets for cybercriminals.

Beyond its primary goal of compromising crypto wallets, Microsoft revealed that the RAT malware is also designed for deep system infiltration, allowing attackers to gain extensive control over infected devices.

One of the key features of StilachiRAT is system reconnaissance. The malware gathers detailed system information, including operating system details, hardware identifiers, camera presence, and active Remote Desktop Protocol (RDP) sessions.

The malware also specializes in credential theft. It extracts and decrypts saved credentials from Google Chrome, granting hackers access to stored usernames and passwords. This capability extends the threat beyond crypto wallet extensions, putting other sensitive accounts at risk.

The malware, which we have named StilachiRAT, uses various methods to steal information such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information.

— Microsoft Threat Intelligence (@MsftSecIntel) March 17, 2025

To maintain communication with its operators, StilachiRAT establishes command-and-control (C2) connectivity. It connects to remote servers through TCP ports 53, 443, or 16000, allowing attackers to execute commands remotely.

Through this C2 connection, the RAT supports various command executions. Attackers can restart systems, erase logs, manipulate registry settings, launch applications, and even suspend system processes.

These features, combined with many others, make StilachiRAT a powerful tool for cybercriminals seeking to maintain control over compromised devices.

Microsoft Asserts RAT Malware Shows Limited Spread

While the RAT malware capabilities are concerning, particularly to crypto wallet extensions, Microsoft has not yet attributed the trojan to a specific threat actor or geographic region.

The Microsoft alert explains that, at this time, the malware does not show widespread distribution. However, due to its stealth features and the rapidly evolving malware space, the team continues to monitor and analyze the situation to keep security professionals and users informed.

Microsoft has not yet attributed StilachiRAT to a specific threat actor or geolocation. Based on Microsoft's current visibility, the malware does not exhibit widespread distribution at this time.

— Microsoft Threat Intelligence (@MsftSecIntel) March 17, 2025

It is important to note that early detection is key to preventing harm before cybercriminals can exploit vulnerabilities.

Last month, Kaspersky Labs discovered another crypto-targeting malware hidden in software development kits (SDKs) used for creating Android and iOS apps.

This malware, named SparkCat, infiltrates devices and scans stored images to steal sensitive recovery phrases for cryptocurrency wallets, putting digital assets in danger.

Cybercriminals are constantly refining their tactics. Last month, a Kaspersky analyst uncovered a large-scale malware campaign involving hundreds of fake GitHub projects.

These repositories contain harmful software such as RATs, info-stealers, and clipboard hijackers. Their primary goal is to compromise crypto wallet extensions, steal digital assets, and extract confidential user data.

The Microsoft alert serves as a strong reminder for crypto users and developers to stay vigilant, update security protocols, and take preventive measures against emerging cyber threats.