Microsoft has detected a new remote access trojan (RAT) designed to compromise cryptocurrency wallets stored in 20 different browser extensions for Google Chrome.
In a blog post on March 17, Microsoft’s Incident Response Team reported that the malware, named StilachiRAT, was first identified in November. This RAT can steal sensitive information, including browser-stored credentials, digital wallet details, and clipboard data.
Once deployed, StilachiRAT scans for configuration files linked to 20 popular crypto wallet extensions, such as Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet, enabling attackers to extract critical data.
Microsoft’s analysis of the malware’s **WWStartupCtrl64.dll** module revealed various techniques used to exfiltrate data from infected systems. Besides stealing credentials from Chrome’s local state file, the malware also monitors clipboard activity to intercept sensitive information like passwords and cryptocurrency keys.
The malware employs advanced evasion tactics, making it particularly stealthy and dangerous. While its spread remains limited for now, Microsoft warns that its sophisticated capabilities require increased vigilance.
To mitigate the risk, Microsoft advises users to follow strong security practices, avoid downloading software from untrusted sources, and keep their security software updated. Additionally, users should remain cautious of potentially malicious browser extensions.
