tl;dr
Microsoft security researchers have discovered a new malware threat, StilachiRAT, targeting popular crypto wallet extensions such as MetaMask and Phantom. The remote access trojan can scan for cryptocurrency wallet extensions in the Google Chrome browser, extract and decrypt saved credentials, and m...
Microsoft security researchers have unearthed a new malware threat, dubbed StilachiRAT, aimed at popular crypto wallet extensions like MetaMask and Phantom. This remote access trojan can identify cryptocurrency wallet extensions in the Google Chrome browser, decrypt saved credentials, and monitor clipboard data for sensitive information. StilachiRAT specifically targets wallets such as MetaMask, Coinbase, Phantom, Keplr, and more. It employs anti-forensic behaviors to avoid detection and currently has limited distribution. Microsoft continues to monitor and analyze this evolving threat landscape.
The StilachiRAT malware, first detected in November 2024, poses a significant risk to crypto wallets. It scans for crypto wallet extensions in the Google Chrome browser, extracting and decrypting stored credentials to access usernames and passwords. This malicious software can continuously monitor clipboard content, particularly seeking sensitive information like cryptocurrency keys and passwords. StilachiRAT targets specific wallets including Bitget Wallet, Trust Wallet, TronLink, MetaMask, TokenPocket, BNB Chain Wallet, OKX Wallet, and several others. It leverages social engineering to dupe users into downloading and executing malicious code, employing various tactics such as fake job offers or false captchas to bypass security measures. Additionally, StilachiRAT exhibits anti-forensic behaviors, such as clearing event logs, to evade detection. Despite its stealth capabilities, the malware is not widely distributed at this time, prompting Microsoft to share its findings as part of their ongoing efforts to monitor and report on the evolving threat landscape.