StilachiRAT is a recently identified remote access trojan (RAT) that specifically targets cryptocurrency users by exfiltrating personal data and obtaining digital wallet credentials. In a study released on March 17, 2025, Microsoft Incident Response researchers described the malware’s capabilities, emphasizing its focus on infecting Google Chrome users who keep login passwords and cryptocurrency wallet extensions.
Bitget Wallet (previously Bitkeep), Trust Wallet, Tronlink, Metamask (ethereum), Tokenpocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, Confluxportal, and Plug are among the 20 wallet extensions that the malware checks for in order to extract information about those digital assets.
StilachiRAT not only targets bitcoin wallets but also circumvents Google Chrome’s encryption features to steal stored login details. “StilachiRAT extracts Google Chrome’s encryption_key from the local state file in a user’s directory,” the paper explains. However, Chrome uses Windows APIs that depend on the context of the current user to decrypt the master key because the key is encrypted when Chrome is initially installed. This makes it possible to access the credentials that are kept in the password vault.
This raises the risk to victims’ digital assets by allowing attackers to recover usernames and passwords linked to financial accounts. A command-and-control (C2) connection is also established by StilachiRAT, which enables remote operators to carry out commands, alter system operations, and continue to be persistent even after first discovery.
The malware also continuously monitors clipboard data to extract cryptocurrency keys and sensitive financial information. Microsoft’s report notes:
Clipboard monitoring is continuous, with targeted searches for sensitive information such as passwords, cryptocurrency keys, and potentially personal identifiers.
StilachiRAT may intercept and alter duplicated wallet addresses by looking for particular patterns associated with cryptocurrency addresses. This allows them to reroute transactions to a destination that is controlled by the attacker. Microsoft suggests that users adopt security steps including turning on Microsoft Defender safeguards, utilizing secure browsers, and staying away from unverified downloads in order to reduce the risk. Experts in cybersecurity advise cryptocurrency owners to remain alert against new malware that aims to take advantage of digital assets as the threat landscape changes.
