A newly discovered remote access trojan (RAT), StilachiRAT, is targeting cryptocurrency users by stealing wallet credentials and financial data through Google Chrome vulnerabilities. Microsoft Incident Response researchers detailed the malware’s sophisticated attack methods in a March 17, 2025 report, warning crypto holders of elevated security risks.
How StilachiRAT Steals Crypto Funds
The malware is designed to infiltrate Google Chrome, specifically targeting cryptocurrency wallet extensions and stored login credentials.
Key features of the attack include:
- Wallet Credential Theft: StilachiRAT scans and extracts data from 20 different wallet extensions, including Metamask, Trust Wallet, Coinbase Wallet, BNB Chain Wallet, and Tronlink.
- Bypassing Chrome’s Encryption: The malware decrypts stored login credentials by extracting Chrome’s encryption_key from user files.
- Remote Access Capabilities: Attackers can execute commands and manipulate system processes, ensuring long-term persistence.
- Clipboard Hijacking: The malware continuously monitors copied wallet addresses, replacing them with attacker-controlled addresses to divert transactions.
Microsoft’s Security Warning: How to Protect Your Crypto
Microsoft warns that StilachiRAT’s ability to remain hidden and intercept transactions makes it one of the most dangerous threats to cryptocurrency holders today.
To protect digital assets, security experts recommend:
- Enabling Microsoft Defender or other anti-malware protections
- Using secure browsers with enhanced encryption
- Avoiding downloads from unverified sources
- Manually verifying wallet addresses before making transactions
As crypto-related cyberattacks continue to rise, staying informed and implementing robust security measures is crucial for safeguarding your digital assets.