Microsoft uncovers new trojan targeting crypto wallet extensions on chrome

Microsoft researchers have identified a new remote access trojan (RAT) named StilachiRAT, designed to steal cryptocurrency wallet data, credentials, and system information while maintaining persistent access to compromised devices, the company disclosed on March 17.

The malware, first detected in November 2024, employs stealth techniques and anti-forensic measures to evade detection.

While Microsoft has not yet attributed StilachiRAT to a known threat actor, security experts warn that its capabilities could pose a significant cybersecurity risk, particularly to users handling crypto.

Sophisticated threat

StilachiRAT is capable of scanning for and extracting data from 20 different cryptocurrency wallet extensions in Google Chrome, including MetaMask, Trust Wallet, and Coinbase Wallet, allowing attackers to access stored funds.

Additionally, the malware decrypts saved Chrome passwords, monitors clipboard activity for sensitive financial data, and establishes remote command-and-control (C2) connections via TCP ports 53, 443, and 16000 to execute commands on infected machines.

The RAT also monitors active Remote Desktop Protocol (RDP) sessions, impersonates users by duplicating security tokens, and enables lateral movement across networks — an especially dangerous feature for enterprise environments.

Persistence mechanisms include modifying Windows service settings and launching watchdog threads to reinstate itself if removed.

To further evade detection, StilachiRAT clears system event logs, disguises API calls, and delays its initial connection to C2 servers by two hours. It also searches for analysis tools such as tcpview.exe and halts execution if they are present, making forensic analysis more difficult.

Mitigation strategies and response

Microsoft advised users to download software only from official sources, as malware like StilachiRAT can masquerade as legitimate applications.

The company also recommended enabling network protection in Microsoft Defender for Endpoint and activating Safe Links and Safe Attachments in Microsoft 365 to guard against phishing-based malware distribution.

Microsoft Defender XDR has been updated to detect StilachiRAT activity. Security professionals are urged to monitor network traffic for unusual connections, inspect system modifications, and track unauthorized service installations that could indicate an infection.

While Microsoft has not observed widespread distribution of StilachiRAT, the company warned that threat actors frequently evolve their malware to bypass security measures. Microsoft said it is continuing to monitor the threat and will provide further updates through its Threat Intelligence Blog.

The post Microsoft uncovers new trojan targeting crypto wallet extensions on chrome appeared first on CryptoSlate.

  • Related Posts

    Bitnomial set to launch CFTC-approved XRP futures on March 20, withdraws SEC lawsuit

    Bitnomial will launch its CFTC-approved XRP futures contracts on March 20 and drop its lawsuit against the US Securities and Exchange Commission. The firm said its decision to withdraw its…

    Continue reading
    Trump’s crypto Czar slams media for misrepresenting divestment as dump

    White House AI and crypto advisor David Sacks criticized claims that he “dumped” his crypto holdings and clarified that, after being appointed by President Donald Trump, he was required to…

    Continue reading

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Bitnomial set to launch CFTC-approved XRP futures on March 20, withdraws SEC lawsuit

    Bitnomial set to launch CFTC-approved XRP futures on March 20, withdraws SEC lawsuit

    Trump’s crypto Czar slams media for misrepresenting divestment as dump

    Trump’s crypto Czar slams media for misrepresenting divestment as dump

    Tom Emmer says 1M Bitcoin reserve will be enacted under current Congress

    Tom Emmer says 1M Bitcoin reserve will be enacted under current Congress

    First Solana ETFs in the US set for trading debut on March 20

    First Solana ETFs in the US set for trading debut on March 20

    Czech central banker questions Bitcoin’s place as a reserve asset amid volatility concerns

    Czech central banker questions Bitcoin’s place as a reserve asset amid volatility concerns

    North Dakota sets $2,000 daily limit for crypto ATM transactions

    North Dakota sets $2,000 daily limit for crypto ATM transactions