A New Trojan Attacks Cryptocurrency Wallets: StilachiRAT
Microsoft has issued a warning about a sophisticated malware called StilachiRAT that specifically targets cryptocurrency users through Google Chrome. This Remote Access Trojan (RAT), first detected in November 2024, is capable of bypassing detection systems and stealing sensitive information, including stored browser credentials. Popular wallets such as MetaMask, Coinbase Wallet, Phantom, OKX Wallet, and BNB Chain Wallet have been identified as targets.
A Stealthy and Hard-to-Detect Threat
StilachiRAT does more than just siphon user information – it adapts and hides within the infected environment. It employs advanced techniques such as using Windows Management Instrumentation (WMI) to discreetly collect data, erasing system logs to conceal malicious activity, detecting forensic analysis tools and virtual machines to avoid identification, and executing remote commands to gain complete control over the infected machine. These characteristics make it a formidable adversary, capable of remaining active for a long period without alerting the user.
Crypto in the Crosshairs: How StilachiRAT Attacks Wallets
One of the most concerning aspects of StilachiRAT is its expertise in cryptocurrency theft. This malware not only steals passwords but is specifically designed to extract private keys stored in browser extensions. Once these keys are compromised, the attacker can empty victims’ wallets with no recourse.
The malware employs multiple techniques to compromise wallets, including stealing credentials stored in the browser (primarily Google Chrome), monitoring the clipboard to detect and modify cryptocurrency receiving addresses, monitoring remote desktop sessions to capture user actions, and executing remote commands to take control of the system.
A Growing Menace in the Cybercriminal World
StilachiRAT is part of a troubling trend: cybercriminals are developing increasingly sophisticated tools to exploit cryptocurrency users’ vulnerabilities. This malware is just one link in a larger chain that includes bootkits capable of modifying computer firmware for persistent access, IIS backdoors used to execute commands unbeknownst to victims, and Windows implants dedicated to spying and stealing sensitive data. Cryptostealers have become an essential component of these cyberattacks, and each intrusion into a system could result in compromised online funds.
Protecting Against StilachiRAT and Similar Threats
Microsoft recommends several best practices to guard against this threat, such as regularly updating the operating system and software to address vulnerabilities exploited by such malware, using antivirus or advanced protection solutions (EDR) to detect and neutralize RATs, enabling multifactor authentication (MFA) to secure access to sensitive platforms, avoiding downloading suspicious files or clicking on unverified links, and monitoring system logs to detect any abnormal activity. However, these measures are not always sufficient against targeted attacks on crypto wallets.
The Peril of Browser-Based Wallets: A Structural Vulnerability
Browser-based wallets are inherently vulnerable, as demonstrated by StilachiRAT. If a private key is stored in software, it can be compromised. Once stolen, additional authentication or resetting cannot prevent hackers from siphoning off funds.
The Only Effective Solution: Hardware Wallets
Security experts, including Ledger CTO Charles Guillemet, emphasize that hardware wallets remain the only reliable protection against such attacks. Unlike software wallets, a physical wallet stores private keys in a secure chip, beyond the reach of malware. It requires physical validation for every transaction, making remote theft impossible, and is immune to credential theft, keylogging, and clipboard modification. Even if a user is infected with StilachiRAT, their funds remain protected as long as they are stored on a hardware wallet.
