Microsoft flags new remote access trojan targeting crypto wallet extensions on Chrome browser

Microsoft discovered a novel remote access trojan (RAT) that targets cryptocurrency wallet extensions on the Google Chrome browser. The company added that the RAT, StilachiRAT, uses advanced techniques to evade detection. 

Microsoft reported discovering a new remote access trojan (RAT) named StilachiRAT. The company’s Incident Response Team revealed that it first identified the malware in November last year. 

Microsoft warns of StilachiRAT targeting user information and crypto wallets 

Microsoft Incidence response team said that the remote access trojan demonstrated sophisticated techniques to evade detection. It added that the trojan can exfiltrate personal user data stored on the Chrome browser. The team added that the virus can access digital wallet information and data stored in the clipboard. 

🚨 New Malware Alert: Your Crypto Wallets Might Be at Risk! 🚨

Microsoft just uncovered a sneaky new malware called StilachiRAT—and it’s coming straight for your crypto. 👀

Here’s what it does:
🔹 Scans your device for 20+ crypto wallet extensions (including MetaMask, Coinbase… pic.twitter.com/BkUwgJPCL1

— Ricards (@Ricardswo) March 18, 2025

It explained that the bad actors could use the trojan to siphon crypto wallet data upon deployment. The team added that the bad actors scan the device settings to identify whether any of the twenty crypto wallet extensions are installed. It highlighted some target wallets, including MetaMask, OKX wallet, Coinbase wallet and Trust wallet. 

The team said that an analysis of StilachiRAT’s WWStartupCtrl64.dll module, which contained the RAT capabilities, revealed that it used various methods to steal information from the target system. 

It explained that the malware could extract credentials such as passwords and crypto keys saved on the Google Chrome local state file and monitor clipboard activity. 

Microsoft added that StilachiRAT was designed to gather system information, including Operating system (OS) details, hardware identifiers like BIOS serial numbers, active Remote Desktop Protocol (RDP) sessions, camera presence, and running graphical user interface (GUI) applications. It added that the details were collected through Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces using WMI Query Language (WQL).

Microsoft also revealed that the malware could use detection evasion and anti-forensics features such as the ability to clear event logs. The company added that the malware could also check for signs that it is running in a sandbox to block analysis attempts. 

It explained that the command and control (C2) server communications were two-way. Microsoft added that the communications enabled the malware to launch instructions sent to it. It warned that the features pointed to versatile espionage and system manipulation tools. The company highlighted that the malware supported ten different commands.

The team said they could not identify who was behind the malware at the time. It explained that it hoped that sharing the information publicly would lower the number of people who might fall victim to the bad actors. 

Microsoft suggests that individuals and institutions take measures to protect their data 

Microsoft added that based on its current visibility, the malware did not exhibit widespread distribution at this time. It said it shared the information as part of the company’s ongoing efforts to monitor and report on the threat landscape.  

The company suggested that users install antivirus software, cloud-based anti-phishing and anti-malware components on their devices to avoid falling prey to malware. Microsoft added that it is unclear how the malware was delivered to targets. It noted that such trojans could be installed via various initial access routes.

According to blockchain security firm CertiK, losses from crypto phishing scams and hacks amounted to over $1.53 billion in February. 

Blockchain analytics firm Chainalysis warned that as cryptocurrency gained widespread acceptance, there was also increased on-chain illicit activity. It added that the ecosystem was experiencing increased professionalization from the bad actors. 

The firm also said the hacking methods used had become more complex. It pointed out the emergence of large-scale on-chain services that provide infrastructure for various bad actors to help them launder their funds. 

Chainalysis said illicit addresses received $40.9 billion in proceeds from crypto crime, approximately 0.14% of the total on-chain transaction volume. The firm predicted that 2026 could see an increase in inflow activity to illicit actors as it identified more illegal addresses.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot