Microsoft has issued an urgent alert over a new remote access trojan (RAT) designed to target cryptocurrency wallets and sensitive data stored in web browsers. Dubbed StilachiRAT, the malware focuses on compromising 20 popular crypto wallet extensions for Google Chrome, including MetaMask, Coinbase Wallet, Trust Wallet, and OKX Wallet.
Discovered by Microsoft’s Incident Response Team, StilachiRAT poses a serious threat to crypto users as it quietly siphons wallet credentials, passwords, and even clipboard data containing private keys or seed phrases.
In a detailed blog post, Microsoft revealed that it first detected StilachiRAT in November 2024. The malware operates by infiltrating victims’ systems and scanning for configurations linked to crypto wallet extensions. Once detected, it systematically extracts the data granting hackers access to user funds.
“The malware can extract credentials saved in the Chrome local state file and monitor clipboard activity for sensitive information like passwords and crypto keys,” Microsoft explained.
Key Capabilities of StilachiRAT:
- Steals wallet credentials and browser-stored passwords
- Monitors clipboard for copied private keys or sensitive information
- Evades detection by clearing event logs
- Detects sandbox environments to avoid analysis
The RAT’s anti-forensic tools allow it to operate undetected, making it difficult for victims to realize their wallets have been compromised until it’s too late.
The Growing Threat to Crypto Wallet Security
This discovery highlights the escalating sophistication of cyberattacks aimed directly at digital asset holders. As crypto adoption rises, wallet extensions designed for ease of access have become prime targets for attackers.
While Microsoft says StilachiRAT is not yet widespread, its stealth and precision make it a looming threat. “Due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape,” Microsoft stated.
The attack also underscores the shifting tactics of cybercriminals, who now prioritize targeted attacks on crypto infrastructure over mass malware campaigns.
The Bigger Picture
StilachiRAT’s emergence comes amid alarming growth in crypto-related hacks and scams. According to CertiK, losses from crypto exploits reached $1.53 billion in February alone, driven largely by the $1.4 billion Bybit hack.
Meanwhile, Chainalysis reported that illicit crypto transaction volume soared to $51 billion, reflecting a professionalization of crypto crime. Tactics now include:
- AI-powered scams
- Stablecoin laundering
- Highly efficient cyber syndicates targeting decentralized finance (DeFi) protocols and wallet infrastructures
With crypto assets increasingly embedded in mainstream finance, these attacks demonstrate just how high the stakes have become for digital asset security.
Microsoft’s advisory includes key recommendations to help users protect themselves:
- Install robust antivirus and anti-malware software
- Use cloud-based anti-phishing tools
- Regularly update software and wallet extensions
- Avoid copying and pasting sensitive information like private keys
- Store wallets and keys in hardware wallets or cold storage whenever possible
“Publicly sharing information about StilachiRAT is meant to reduce potential victims,” Microsoft emphasized.
Ultimately, users must remain vigilant as attackers increasingly target browser-based wallets where convenience often comes at the expense of security.
Final Takeaway
The discovery of StilachiRAT is another stark reminder that crypto wallets, especially browser-based extensions, are prime targets for sophisticated cybercriminals.
As blockchain technology matures, the threat landscape is evolving just as fast. Without proper defenses, crypto users face growing risks of wallet compromises, stolen assets, and identity breaches.
For both individual investors and institutions, the message is clear: wallet security can no longer be an afterthought. Proactive measures, robust security layers, and constant vigilance are critical in this new era of targeted crypto crime.
