Microsoft's incident response team has identified a new remote access trojan (RAT) designed to compromise cryptocurrency holdings by targeting digital wallet extensions. The malware, dubbed StilachiRAT, can gather system information, steal login credentials, and extract data from cryptocurrency wallets across multiple platforms.
The trojan specifically targets at least 20 popular cryptocurrency wallet extensions for Google Chrome, including widely-used options such as Metamask, Trust Wallet, Coinbase Wallet, and Phantom. Microsoft's investigation revealed the malware's ability to access registry settings to validate which extensions are installed. Once identified, it can extract sensitive data potentially giving attackers access to victims' digital assets.
"StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser. It accesses the settings in the following registry key and validates if any of the extensions are installed," Microsoft stated in its March 17 security bulletin. Though the malware has not yet achieved widespread distribution, security experts express significant concern about its sophistication and potential impact.
The malware begins its attack cycle with a reconnaissance phase where it collects information about the victim's operating system, hardware identifiers, and active sessions. It then focuses on credential theft, targeting passwords stored in Chrome and monitoring clipboard data where users frequently copy sensitive information like wallet keys or passwords. This multi-stage approach allows attackers to gather comprehensive data before initiating any theft.
Microsoft's security team highlighted StilachiRAT's advanced anti-forensic capabilities as particularly concerning. The trojan can delete event logs and assess system conditions to avoid detection mechanisms. These evasive techniques make identification and removal significantly more challenging for standard security tools.
To mitigate risks, Microsoft advises users to implement several security measures immediately. "In some cases, remote access trojans can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources," Microsoft emphasized in its advisory. The company also recommends enabling real-time protection in Microsoft Defender and using browsers with SmartScreen to help block malicious websites.
Additional security recommendations include enabling multi-factor authentication for all accounts and maintaining current software updates across all applications. These fundamental security practices can substantially reduce vulnerability to this and similar threats.
The discovery comes amid growing concerns about cryptocurrency-related crime. According to Chainalysis' 2025 Crypto Crime Trends report, illicit cryptocurrency transactions currently range between $40 billion and $50 billion annually. These funds are acquired through various methods, including ransomware attacks, sophisticated malware operations, and other cybercriminal activities.
The report further projects that the volume of illicit crypto transactions in 2024 could exceed $51 billion, representing an average annual increase of 25% between reporting periods. This trend indicates an escalating sophistication in attacks targeting digital assets as cryptocurrency adoption continues to expand worldwide.
Security analysts emphasize that as cryptocurrency holdings become more mainstream, users should expect increasingly targeted attacks designed to compromise these assets. The discovery of StilachiRAT represents a significant evolution in the tactics employed by cybercriminals seeking to exploit digital currency holders.