Microsoft’s Incident Response team has detailed a new remote access trojan, named StilachiRAT, which specifically targets cryptocurrency users by compromising Google Chrome browser extensions and saved credentials. The report, published on March 17, 2025, highlights the malware’s advanced capabilities to evade detection and exfiltrate digital asset information.
Wallet Extensions Under Attack
StilachiRAT actively scans the Chrome browser for 20 different cryptocurrency wallet extensions, including MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Phantom, Keplr, as well as BNB Chain Wallet, Sui Wallet, and others. Once it detects any of these extensions, the malware collects asset-related data and sends it to a command-and-control server controlled by the attacker.
Bypassing Chrome’s Built-in Encryption
To steal saved login credentials from Chrome’s password manager, StilachiRAT extracts the encryption key stored in the local state file. Microsoft explains: “The malware leverages Windows APIs that rely on the current user context to decrypt the master key, giving it access to the password vault.” This allows attackers to retrieve usernames and passwords for financial accounts, increasing the risk of broader asset theft.
Clipboard Monitoring for Transaction Hijacking
The malware continuously monitors clipboard activity, searching for patterns matching cryptocurrency addresses. When a user copies a wallet address, StilachiRAT can replace it with an attacker-controlled address in real time, redirecting funds to the criminal. Microsoft notes: “Clipboard monitoring is continuous, targeting sensitive information such as passwords, cryptocurrency keys, and personally identifiable information.” This technique enables silent theft without user awareness.
Persistence and Mitigation Measures
StilachiRAT establishes a persistent C2 connection, allowing remote operators to execute commands, modify system processes, and survive initial detection attempts. To reduce risk, Microsoft recommends enabling Microsoft Defender real-time protection, using secure browsers, avoiding unverified downloads, and auditing browser extension permissions regularly. As malware targeting digital assets evolves, crypto holders are urged to stay vigilant and adopt multi-layered security practices to protect private keys and wallet access.

