Microsoft Reports Malware Targeting 20 Crypto Wallets

Microsoft has issued a warning about a new malware threat targeting cryptocurrency wallets through Google Chrome extensions.

The malware, known as StilachiRAT, was identified by Microsoft’s Incident Response team in November 2024.

This remote access trojan (RAT) employs advanced techniques to evade detection, maintain persistence within the affected system, and steal sensitive data.

StilachiRAT specifically targets 20 popular cryptocurrency wallet extensions on Chrome, including MetaMask, Trust Wallet, Coinbase Wallet, TronLink, TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, and Phantom.

The malware is capable of compromising wallet information and stealing credentials such as usernames and passwords stored in Chrome, posing a significant threat to users’ digital assets.

Microsoft warned:

“StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser. It accesses the settings in the following registry key and validates if any of the extensions are installed.”

How StilachiRAT Operates

StilachiRAT is a significant advancement in cyber threats, especially for those holding digital assets.

Microsoft detailed its capabilities, revealing that the malware can extract sensitive information such as passwords and cryptocurrency keys stored in the Google Chrome local state file, while also monitoring clipboard activity.

StilachiRAT begins its infiltration by performing extensive reconnaissance.

It collects critical system data, including operating system details, hardware identifiers like BIOS serial numbers, active Remote Desktop Protocol (RDP) sessions, camera presence, and currently running GUI applications.

This information is gathered through Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces using WMI Query Language (WQL).

Microsoft further noted that StilachiRAT is equipped with evasion tactics, such as the ability to erase event logs and detect sandbox environments, making it harder to analyse.

The malware’s communication with its command and control (C2) server is bidirectional, enablling the malware to execute remote instructions.

This allows for espionage and system manipulation, with Microsoft emphasizing that StilachiRAT supports ten distinct commands, underscoring its potential as a versatile and dangerous tool.

Microsoft Warns Users to Be Vigilant

To protect against StilachiRAT, Microsoft recommends downloading software exclusively from trusted sources and avoiding unfamiliar websites or attachments.

Users should also enable real-time protection through Microsoft Defender and utilise browsers with SmartScreen to block malicious sites.

In addition, Microsoft advises implementing multi-factor authentication (MFA) and regularly updating software to reduce vulnerabilities.

Microsoft advises:

“In some cases, remote access trojans (RATs) can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources.”

While the malware has not yet seen widespread distribution, Microsoft has not identified the entity responsible for this threat.

The company has outlined mitigation strategies, including installing antivirus software, to safeguard current targets.

Despite its limited reach, the potential risk of StilachiRAT continues to raise concerns within the cryptocurrency community.

The team wrote:

“Due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape.”