- Malware StilachiRAT targets 20 crypto wallets via Chrome
- It steals saved logins and monitors clipboard content
- Remote access allows long-term control over infected devices
A newly uncovered remote access trojan (RAT) named StilachiRAT is posing a serious threat to cryptocurrency users by targeting their browser-based wallets and saved login credentials. Discovered by Microsoft Incident Response and detailed in a report published on March 17, 2025, this malware is engineered to exploit vulnerabilities in Google Chrome. Its primary purpose is to exfiltrate sensitive financial data, including private keys, usernames, and passwords, especially from users involved in crypto-related activities.
Malware StilachiRAT Targets Wallet Extensions in Chrome
StilachiRAT is specifically designed to scan and extract data from a list of 20 cryptocurrency wallet extensions embedded within Google Chrome. Among the targeted wallets are widely-used services such as Metamask, Trust Wallet, Coinbase Wallet, Tokenpocket, BNB Chain Wallet, and OKX Wallet. It also extends its reach to less mainstream wallets including Braavos, Leap Cosmos Wallet, Manta Wallet, Keplr, Fractal Wallet, and Confluxportal. This wide coverage indicates a deliberate effort to compromise a broad range of crypto users regardless of the blockchain networks or wallets they prefer. Once these extensions are detected, StilachiRAT can access and transmit their stored credentials and wallet data to the attackers.
Credential Theft Through Chrome Encryption Key Exploitation
Beyond its focus on browser extensions, StilachiRAT also attacks Chrome’s password management system. It achieves this by locating and extracting the browser’s encrypted encryption_key, which is stored in the local state file within the user’s system directory. Although this key is protected, the malware circumvents the security layer by invoking Windows APIs that operate under the context of the current user session. This allows StilachiRAT to decrypt the master key and gain access to the entire vault of saved usernames and passwords stored in the browser. The stolen credentials often include access to financial platforms, online banking services, and other sensitive portals, increasing the financial damage potential.
Command-and-Control Capabilities for Remote Control
A critical feature of StilachiRAT is its ability to maintain communication with a remote command-and-control (C2) server. Through this channel, attackers can remotely execute commands, manipulate system processes, and sustain control over the infected device. Even after an initial detection or system reboot, the malware is capable of re-establishing its connection and continuing its operations. This persistent access makes it highly difficult to remove the threat without comprehensive system cleansing and security measures.
Clipboard Surveillance for Crypto Address Manipulation
StilachiRAT also includes clipboard monitoring functionality, which enables it to scan for cryptocurrency keys and wallet addresses in real time. The malware runs a continuous check on the clipboard content, identifying patterns associated with crypto wallets. When a user copies a legitimate wallet address—for example, to transfer funds—the malware swiftly replaces it with an attacker-controlled address. The user, unaware of the substitution, may then unknowingly send funds to the wrong recipient. This method is subtle yet devastating and has been seen in previous malware campaigns targeting crypto holders.
Reducing the Risk of Malware Infections
To combat threats like StilachiRAT, Microsoft recommends enabling Microsoft Defender protections and avoiding the installation of unverified browser extensions. Users are also advised to adopt browsers with stronger security features and avoid downloading software from untrusted websites. Maintaining an updated operating system, securing password managers, and using multi-factor authentication can add further layers of protection. Regularly checking the clipboard before sending transactions can help mitigate address-replacement attacks.
Conclusion
StilachiRAT is a sophisticated malware tool that specifically targets cryptocurrency users through their browsers. By exploiting Chrome’s password vault, hijacking wallet extensions, and replacing clipboard data, it delivers a multi-layered attack capable of compromising digital assets without immediate detection. Its persistent command-and-control mechanism allows attackers to maintain long-term access to victims’ systems. As cryptocurrency adoption continues to grow, users must stay vigilant and take proactive steps to strengthen their digital security.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
