Microsoft has sounded the alarm on a newly discovered cyber threat known as StilachiRAT, a highly evasive remote access trojan (RAT) capable of stealing sensitive data and compromising systems. Security experts warn that this stealthy malware poses a serious risk to both individuals and organizations.
First detected by Microsoft’s incident response team in November 2024, StilachiRAT has not yet been linked to any specific cybercrime group or nation-state. However, its advanced capabilities and persistent nature make it a serious concern.
Although its exact delivery methods remain unclear, Microsoft suspects common attack vectors such as trojanized software downloads, malicious websites, and phishing emails. These routes allow hackers to stealthily install the RAT on unsuspecting victims’ devices.
Once inside a system, StilachiRAT starts profiling the infected machine by harvesting detailed system information. One of its main targets is cryptocurrency wallets, specifically Chrome extensions linked to digital assets. The malware scans for configuration data tied to 20 popular crypto wallet Chrome extensions, putting users’ digital currencies at immediate risk.
Beyond crypto theft, StilachiRAT extracts stored Chrome usernames and passwords. It also constantly monitors the clipboard to capture sensitive data like login credentials and private crypto keys, increasing its potential for financial damage.
StilachiRAT’s capabilities extend far beyond data theft. The malware monitors Remote Desktop Protocol (RDP) sessions, potentially allowing attackers to move laterally within a network. This access could lead to broader system compromises and widespread infiltration.
According to Microsoft, the malware can execute several harmful commands, such as:
- Rebooting the system
- Clearing event logs
- Modifying Windows registry entries
- Launching other applications
These functions give attackers full control over infected machines, leaving victims highly vulnerable.
One of the most dangerous aspects of StilachiRAT is its built-in persistence mechanisms. The malware leverages the Windows service control manager and watchdog threads to ensure it stays active even if attempts are made to remove it.
Microsoft’s analysis also revealed powerful anti-forensic features. StilachiRAT wipes event logs and continuously monitors the environment to avoid detection. It performs repeated checks for analysis tools and sandbox environments, delaying its full activation when being observed in virtual setups—making it harder for cybersecurity teams to detect or study.
To make detection and reverse engineering even more challenging, StilachiRAT employs multiple layers of obfuscation. It hides Windows API calls and uses a custom encoding algorithm to scramble text strings and values. This approach significantly increases the time and resources needed to dissect the malware and understand its true functionality.
“StilachiRAT uses API-level obfuscation to frustrate manual analysis by hiding its interactions with Windows APIs,” Microsoft explained.
Although the spread of StilachiRAT remains limited, its sophisticated design and specific focus on cryptocurrency wallets raise serious concerns. Microsoft urges users and organizations to remain alert, update their security defenses, and exercise caution when downloading software or clicking unknown links.
Cybercriminals continue to develop more evasive malware strains, making it critical for everyone to strengthen their cybersecurity posture.
