Emerging Malware StilachiRAT Targets Digital Assets
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Unknown
Malware Used: StilachiRAT
Threat Score: High (8.5/10) – Due to its comprehensive data theft capabilities, advanced evasion techniques, and specific targeting of cryptocurrency assets.
Last Threat Observation: March 20, 2025
Overview
StilachiRAT is a newly discovered Remote Access Trojan (RAT) that primarily targets cryptocurrency assets by exfiltrating sensitive data, including browser credentials and clipboard information. First identified by Microsoft Incident Response researchers in November 2024, the malware employs sophisticated techniques to ensure persistence and evade detection.
Although its distribution remains limited, Microsoft’s early disclosure on March 17, 2025, highlights the potential threat posed by StilachiRAT due to its advanced functionalities and cryptocurrency-focused attack vectors.
At this time, no specific threat actor has been attributed to this malware, though its level of sophistication suggests a well-resourced adversary.
Key Details
- Delivery Method: Unknown (Possible attack vectors include phishing, trojanized software, and malicious websites).
- Target: Cryptocurrency users and developers using Google Chrome-based wallet extensions.
- Functions:
- System Reconnaissance – Collects OS details, hardware identifiers, RDP session data, and running applications.
- Credential Theft – Extracts and decrypts stored credentials from Google Chrome.
- Cryptocurrency Wallet Targeting – Scans for 20 cryptocurrency wallet extensions in Google Chrome, including MetaMask, Coinbase Wallet, Trust Wallet, and TronLink.
- Command Execution – Receives and executes commands such as log clearing, registry manipulation, and system rebooting.
- Persistence Mechanisms – Uses Windows Service Control Manager (SCM) and watchdog threads to remain active even after system restarts.
- Obfuscation Techniques:
- Detects and terminates execution if analysis tools or sandboxes are detected.
- Clears system event logs to remove traces of its activity.
- Uses delayed execution (two-hour delay before contacting C2) to bypass sandbox analysis.
- Encodes API calls and registry keys to evade detection.
Attack Vectors
StilachiRAT collects extensive system information using WMI Query Language (WQL) and registry manipulations. It communicates with Command and Control (C2) servers via TCP ports 53, 443, or 16000, blending malicious activity with legitimate network traffic.
Known Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| 394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb | SHA-256 | WWStartupCtrl64.dll |
| 194.195.89[.]47 | IP Address | C2 Server |
| app.95560[.]cc | Domain | C2 Server |
Mitigation and Prevention
- User Awareness: Educate users on phishing risks and the dangers of downloading software from untrusted sources.
- Email Filtering: Deploy advanced email filtering solutions to block phishing attempts.
- Antivirus Protection: Ensure endpoint protection tools are up to date. Microsoft Defender detects StilachiRAT as TrojanSpy:Win64/Stilachi.A.
- Two-Factor Authentication (2FA): Enforce 2FA on all sensitive accounts, especially cryptocurrency-related services.
- Monitor Logs: Track Event ID 7045 (new service installation) and Event ID 7040 (service start type change) to detect persistence attempts.
- Restrict RDP Access: Disable unnecessary RDP access or use network-level authentication (NLA).
- Network Traffic Monitoring: Block outbound traffic to 194.195.89[.]47 and app.95560[.]cc.
- Endpoint Detection and Response (EDR): Use EDR solutions to detect suspicious behavior such as process injection and registry modifications.
- Secure Cryptocurrency Wallets: Advise users to store assets in hardware wallets instead of browser extensions.
Risk Assessment
High Risk – StilachiRAT’s targeted focus on cryptocurrency assets, combined with its stealth persistence mechanisms, makes it a significant and evolving threat. The malware’s limited distribution suggests it is in an early stage of deployment, but its advanced functionalities indicate a high potential for wider spread in the future.
Organizations and individuals involved in cryptocurrency transactions should take immediate action to implement security measures and monitor for indicators of compromise.
Conclusion
StilachiRAT represents an ongoing and evolving cybersecurity threat, particularly to individuals and organizations handling cryptocurrency transactions. Its advanced evasion techniques, credential theft capabilities, and persistence mechanisms require heightened vigilance and proactive security measures.
Organizations should implement a multi-layered security approach, ensuring:
- Network monitoring for C2 communications
- System hardening against unauthorized access
- User training on the risks of cryptocurrency-related malware
Security teams must stay updated on emerging threats, collaborate with the cybersecurity community, and continuously adapt defenses to counter evolving malware like StilachiRAT.
Sources:
- Microsoft Security Blog – StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
- SecurityWeek – Malware & ThreatsMicrosoft Warns of New StilachiRAT Malware
- FieldEffect – New ‘StilachiRAT’ found scurrying in crypto wallets