Microsoft flags new remote access trojan targeting crypto wallet extensions on Chrome browser

Source Cryptopolitan

Microsoft discovered a novel remote access trojan (RAT) that targets cryptocurrency wallet extensions on the Google Chrome browser. The company added that the RAT, StilachiRAT, uses advanced techniques to evade detection. 

Microsoft reported discovering a new remote access trojan (RAT) named StilachiRAT. The company’s Incident Response Team revealed that it first identified the malware in November last year. 

Microsoft warns of StilachiRAT targeting user information and crypto wallets 

Microsoft Incidence response team said that the remote access trojan demonstrated sophisticated techniques to evade detection. It added that the trojan can exfiltrate personal user data stored on the Chrome browser. The team added that the virus can access digital wallet information and data stored in the clipboard. 

It explained that the bad actors could use the trojan to siphon crypto wallet data upon deployment. The team added that the bad actors scan the device settings to identify whether any of the twenty crypto wallet extensions are installed. It highlighted some target wallets, including MetaMask, OKX wallet, Coinbase wallet and Trust wallet. 

The team said that an analysis of StilachiRAT’s WWStartupCtrl64.dll module, which contained the RAT capabilities, revealed that it used various methods to steal information from the target system. 

It explained that the malware could extract credentials such as passwords and crypto keys saved on the Google Chrome local state file and monitor clipboard activity. 

Microsoft added that StilachiRAT was designed to gather system information, including Operating system (OS) details, hardware identifiers like BIOS serial numbers, active Remote Desktop Protocol (RDP) sessions, camera presence, and running graphical user interface (GUI) applications. It added that the details were collected through Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces using WMI Query Language (WQL).

Microsoft also revealed that the malware could use detection evasion and anti-forensics features such as the ability to clear event logs. The company added that the malware could also check for signs that it is running in a sandbox to block analysis attempts. 

It explained that the command and control (C2) server communications were two-way. Microsoft added that the communications enabled the malware to launch instructions sent to it. It warned that the features pointed to versatile espionage and system manipulation tools. The company highlighted that the malware supported ten different commands.

The team said they could not identify who was behind the malware at the time. It explained that it hoped that sharing the information publicly would lower the number of people who might fall victim to the bad actors. 

Microsoft suggests that individuals and institutions take measures to protect their data 

Microsoft added that based on its current visibility, the malware did not exhibit widespread distribution at this time. It said it shared the information as part of the company’s ongoing efforts to monitor and report on the threat landscape.  

A list of the wallets targeted by the malware
A list of the wallets targeted by the malware. Source: Microsoft

 

The company suggested that users install antivirus software, cloud-based anti-phishing and anti-malware components on their devices to avoid falling prey to malware. Microsoft added that it is unclear how the malware was delivered to targets. It noted that such trojans could be installed via various initial access routes.

According to blockchain security firm CertiK, losses from crypto phishing scams and hacks amounted to over $1.53 billion in February. 

Blockchain analytics firm Chainalysis warned that as cryptocurrency gained widespread acceptance, there was also increased on-chain illicit activity. It added that the ecosystem was experiencing increased professionalization from the bad actors. 

The firm also said the hacking methods used had become more complex. It pointed out the emergence of large-scale on-chain services that provide infrastructure for various bad actors to help them launder their funds. 

Chainalysis said illicit addresses received $40.9 billion in proceeds from crypto crime, approximately 0.14% of the total on-chain transaction volume. The firm predicted that 2026 could see an increase in inflow activity to illicit actors as it identified more illegal addresses.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
U.S. Vice President JD Vance among Bitcoin 2025 Conference speakersThe Bitcoin 2025 Conference organizers, BTC Inc., unveiled the list of featured speakers at this year's event in Las Vegas, and U.S. VP JD Vance is at the top among them.
Author  Cryptopolitan
May 26, Mon
The Bitcoin 2025 Conference organizers, BTC Inc., unveiled the list of featured speakers at this year's event in Las Vegas, and U.S. VP JD Vance is at the top among them.
placeholder
Ethereum Price Faces Pressure: Can It Sustain Its Recent Rally?Ethereum price found support at $2,460 and started a fresh increase. ETH is now struggling and might drop again below the $2,500 support.
Author  NewsBTC
Yesterday 03: 35
Ethereum price found support at $2,460 and started a fresh increase. ETH is now struggling and might drop again below the $2,500 support.
placeholder
Japan loses top global creditor spot to GermanyJapan lost its 34-year reign as the world’s largest creditor nation to Germany at the end of 2024.
Author  Cryptopolitan
21 hours ago
Japan lost its 34-year reign as the world’s largest creditor nation to Germany at the end of 2024.
placeholder
Gold extends correction amidst trade optimism, stronger US DollarGold (XAU/USD) price extends correction, sliding below the $3,300 mark at the time of writing on Tuesday amid improving risk-on mood and a stronger US Dollar (USD). 
Author  FXStreet
18 hours ago
Gold (XAU/USD) price extends correction, sliding below the $3,300 mark at the time of writing on Tuesday amid improving risk-on mood and a stronger US Dollar (USD). 
placeholder
EUR/JPY appreciates above 163.00 with the Yen retreating across the boardThe Euro is trading higher for the second consecutive day, still fuelled by the delay of Trump’s deadline to avoid 50% tariffs in the US, while the Yen declines alongside super long-term Japanese yields.
Author  FXStreet
18 hours ago
The Euro is trading higher for the second consecutive day, still fuelled by the delay of Trump’s deadline to avoid 50% tariffs in the US, while the Yen declines alongside super long-term Japanese yields.
goTop
quote