New Trojan Malware Targets Crypto Wallets, Microsoft Warns

A fresh cybersecurity threat has emerged, putting crypto users on alert. Microsoft security researchers have uncovered a sophisticated piece of malware, dubbed StilachiRAT, designed to infiltrate and compromise popular crypto wallet extensions like MetaMask, Phantom, and Coinbase Wallet. First detected in November 2024, this remote access trojan has undergone thorough analysis, revealing its ability to silently extract sensitive data from unsuspecting victims.

The StilachiRAT malware zeroes in on crypto wallet extensions within the Google Chrome browser, a widely used platform for managing digital assets. Once active, it scans for installed extensions, targeting well-known names such as Bitget Wallet, Trust Wallet, TronLink, TokenPocket, and OKX Wallet, among others. By decrypting saved credentials, the trojan gains access to usernames and passwords, effectively unlocking a gateway to users’ funds.

Beyond that, it employs a continuous monitoring system, scrutinizing clipboard content for cryptocurrency keys and passwords. Microsoft’s team highlighted the malware’s use of regular expressions to pinpoint data tied to the Tron network, a blockchain particularly favored in China, suggesting a tailored approach to its attacks.

How StilachiRAT Evades Detection and Spreads

The trojan’s stealth features make it particularly concerning. It exhibits anti-forensic tactics, such as wiping event logs to cover its tracks, while dodging conventional detection methods. This type of infostealing malware often relies on social engineering to infiltrate systems. Victims might encounter deceptive lures ranging from fake downloads and job offers to misleading captchas that interrupt casual browsing. These methods can slip past basic security measures and even challenge enterprise-grade defenses, a testament to the lucrative nature of the cybercrime economy driving such innovations.

Microsoft’s Incident Response team has emphasized that StilachiRAT does not yet appear to be widely distributed, based on their current observations. However, its elusive nature and the fast-evolving malware landscape prompted the company to share these findings. The goal is to keep users and organizations informed as part of a broader effort to track and counter emerging threats. With a target list that also includes other wallets like Sui Wallet, Braavos - Starknet Wallet, and Leap Cosmos Wallet, the trojan’s reach spans a diverse array of platforms, amplifying its potential impact.

For crypto enthusiasts and everyday users, this is a reminder of the importance of vigilance. As cybercriminals refine their tactics to exploit the crypto market, staying ahead requires more than just strong passwords or two-factor authentication. Regularly updating software, avoiding suspicious links, and monitoring account activity could mean the difference between safeguarding assets and falling victim to malware.