A newly identified remote access trojan (RAT), StilachiRAT, has been discovered using stealthy techniques to evade detection while compromising user credentials and cryptocurrency wallets.
Security researchers found that StilachiRAT is designed to exfiltrate sensitive data, particularly from 20 cryptocurrency wallet extensions used in Google Chrome, including MetaMask, Coinbase Wallet, Trust Wallet, and TronLink. In addition to wallet data, the malware is capable of extracting and decrypting saved Chrome credentials, potentially giving attackers access to usernames and passwords stored in the browser.
Beyond credential theft, StilachiRAT is also engineered to gather system information, monitor clipboard activity, and track active applications and windows, allowing it to steal sensitive data such as passwords and cryptocurrency keys. To maintain stealth, the malware deletes system logs and checks system settings before executing commands, reducing the likelihood of detection.
Security researchers have not yet linked StilachiRAT to any known cybercriminal group or geographic region, and its distribution appears limited at this stage. However, its highly evasive nature and broad data-collection capabilitiesmake it a serious cybersecurity threat.
The malware operates by executing commands received from a command-and-control (C2) server, which can instruct it to:
- Reboot the system
- Clear logs to erase traces of activity
- Steal credentials and clipboard data
- Launch applications and manipulate system windows
- Suspend system operations and modify Windows registry settings
With the ability to facilitate espionage and system manipulation, StilachiRAT poses a significant risk to both individuals and organizations, particularly those involved in cryptocurrency transactions.
Stay tuned to DC Brief for further updates on this story and other technology developments.
