Microsoft has announced a new remote access trojan (RAT) called StilachiRAT that steals cryptocurrency wallet data. It is already known that users’ data is at risk Google Chrome with installed extensions The 20 most popular wallets. Here is a list of wallets and their Chrome extension ID:
StilachiRAT was first detected in November 2024. The malware collects complete system information, including operating system (OS), hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications. This allows the trojan to build a detailed profile of the system.
Next, it scans the configuration data of 20 different crypto wallet extensions of the Google Chrome browser. And then it extracts and decrypts the saved credentials from Google Chrome, which allows it to access usernames and passwords stored in the browser.
StilachiRAT communicates with remote servers using TCP ports 53, 443, or 16000, which allows it to execute remote commands and potentially use proxy servers such as SOCKS.
In addition to stealing data to log in to the victim’s wallet, the trojan can remotely reboot the system, clear the log, manipulate the registry, launch applications, and do many other nasty things. At the same time, it clears event logs, detects analysis tools and bypasses them to avoid detection.
Microsoft did not specify how RAT is spread. However, the developers of the Phantom crypto wallet reminded basic rules:
Source: Microsoft
![](data:image/svg+xml;charset=utf-8,<svg height="1981px" width="723px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)