StilachiRAT Malware Targets Chrome Users to Drain Crypto Wallets

StilachiRAT Malware Targets Chrome Users to Drain Crypto Wallets

N
News Editor 01
2026-07-09 20:26:13
Microsoft discovered StilachiRAT, a remote access trojan that scans Chrome for 20 crypto wallet extensions, bypasses its encryption, and monitors clipboard to steal credentials and redirect transactions.
malwarecryptocurrencyChromeStilachiRATsecurity

Microsoft’s Incident Response team has detailed a new remote access trojan, named StilachiRAT, which specifically targets cryptocurrency users by compromising Google Chrome browser extensions and saved credentials. The report, published on March 17, 2025, highlights the malware’s advanced capabilities to evade detection and exfiltrate digital asset information.

Wallet Extensions Under Attack

StilachiRAT actively scans the Chrome browser for 20 different cryptocurrency wallet extensions, including MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Phantom, Keplr, as well as BNB Chain Wallet, Sui Wallet, and others. Once it detects any of these extensions, the malware collects asset-related data and sends it to a command-and-control server controlled by the attacker.

Bypassing Chrome’s Built-in Encryption

To steal saved login credentials from Chrome’s password manager, StilachiRAT extracts the encryption key stored in the local state file. Microsoft explains: “The malware leverages Windows APIs that rely on the current user context to decrypt the master key, giving it access to the password vault.” This allows attackers to retrieve usernames and passwords for financial accounts, increasing the risk of broader asset theft.

Clipboard Monitoring for Transaction Hijacking

The malware continuously monitors clipboard activity, searching for patterns matching cryptocurrency addresses. When a user copies a wallet address, StilachiRAT can replace it with an attacker-controlled address in real time, redirecting funds to the criminal. Microsoft notes: “Clipboard monitoring is continuous, targeting sensitive information such as passwords, cryptocurrency keys, and personally identifiable information.” This technique enables silent theft without user awareness.

Persistence and Mitigation Measures

StilachiRAT establishes a persistent C2 connection, allowing remote operators to execute commands, modify system processes, and survive initial detection attempts. To reduce risk, Microsoft recommends enabling Microsoft Defender real-time protection, using secure browsers, avoiding unverified downloads, and auditing browser extension permissions regularly. As malware targeting digital assets evolves, crypto holders are urged to stay vigilant and adopt multi-layered security practices to protect private keys and wallet access.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
400

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.