Microsoft has uncovered a stealthy remote access trojan, StilachiRAT, engineered to steal cryptocurrency credentials and sensitive system data using advanced evasion and persistence techniques.
Microsoft Unveils Sophisticated RAT
Microsoft has disclosed the discovery of a new and previously undocumented remote access trojan (RAT) named StilachiRAT, capable of infiltrating systems, extracting sensitive data, and targeting cryptocurrency wallet extensions. The malware, first identified in November 2024, demonstrates a high degree of stealth and anti-forensic behavior, prompting the tech giant to release its findings despite the limited distribution observed so far.
Designed for Persistence and Evasion
StilachiRAT has been identified as a dynamic link library (DLL) module named WWStartupCtrl64.dll, embedding a broad range of RAT capabilities. The malware employs sophisticated methods to evade detection, including persistent anti-forensic techniques such as system log deletion and environment checks to bypass sandbox and analysis tools.
The Microsoft team noted,
“StilachiRAT displays anti-forensic behavior by clearing event logs and checking certain system conditions to evade detection. This includes looping checks for analysis tools and sandbox timers that prevent its full activation in virtual environments commonly used for malware analysis.”
Targeting Cryptocurrency Wallets
One of StilachiRAT’s key capabilities is its focus on cryptocurrency-related data. The malware scans Google Chrome for a predefined list of crypto wallet browser extensions, including:
Bitget Wallet, Trust Wallet, MetaMask, TronLink, OKX Wallet, Coinbase Wallet, Phantom, BNB Chain Wallet, Sui Wallet and more.
The trojan actively monitors clipboard data for wallet keys and passwords, while also keeping track of active windows and GUI-based applications. The collected information is subsequently transmitted to a remote command-and-control (C2) server.
Comprehensive System Reconnaissance
Beyond credential theft, StilachiRAT gathers extensive system metadata. It retrieves operating system details, BIOS serial numbers, camera availability, active Remote Desktop Protocol (RDP) sessions, and running GUI applications using Windows Management Instrumentation (WMI) via WQL queries.
The malware also features commands for system manipulation. These include initiating system reboots, clearing logs, launching or terminating applications, modifying registry settings, and even suspending system operations.
Delivery Method Remains Unclear
While the exact delivery vector of StilachiRAT remains unknown, Microsoft emphasized that such malware can be deployed through various initial access routes. No specific threat actor or geographic origin has been associated with StilachiRAT to date. However, the stealth capabilities and data collection breadth have raised concerns within the cybersecurity community.
Microsoft’s latest findings reinforce the rising sophistication of cyber threats, particularly those targeting digital assets. Security professionals have been advised to maintain updated defenses, monitor unusual system behavior, and conduct regular threat assessments.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
