New malware is attacking cryptocurrency users, stealing wallet credentials and financial data by bypassing Chrome’s encryption and monitoring clipboard activity to intercept and redirect transactions.
A newly discovered remote access trojan (RAT) known as StilachiRAT is specifically targeting cryptocurrency users by stealing digital wallet credentials and exfiltrating sensitive data. Microsoft Incident Response researchers detailed the malware’s capabilities in a report published on March 17, 2025, highlighting its focus on compromising Google Chrome users who store cryptocurrency wallet extensions and saved login credentials.
According to Microsoft:
StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser.
The malware scans for 20 different wallet extensions, including Bitget Wallet (formerly Bitkeep), Trust Wallet, Tronlink, Metamask (ethereum), Tokenpocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, Confluxportal, and Plug, allowing attackers to extract digital asset information.
Beyond targeting cryptocurrency wallets, StilachiRAT also steals stored login credentials from Google Chrome by bypassing its encryption mechanisms. The report explains: “StilachiRAT extracts Google Chrome’s encryption_key from the local state file in a user’s directory. However, since the key is encrypted when Chrome is first installed, it uses Windows APIs that rely on current user’s context to decrypt the master key. This allows access to the stored credentials in the password vault.”
This enables attackers to retrieve usernames and passwords associated with financial accounts, further increasing the risk to victims’ digital assets. Additionally, StilachiRAT establishes a command-and-control (C2) connection, allowing remote operators to execute commands, manipulate system processes, and remain persistent even after initial detection.
The malware also continuously monitors clipboard data to extract cryptocurrency keys and sensitive financial information. Microsoft’s report notes:
Clipboard monitoring is continuous, with targeted searches for sensitive information such as passwords, cryptocurrency keys, and potentially personal identifiers.
By scanning for specific patterns linked to cryptocurrency addresses, StilachiRAT can intercept and replace copied wallet addresses, redirecting transactions to an attacker-controlled destination. To mitigate the risk, Microsoft advises users to implement security measures such as enabling Microsoft Defender protections, using secure browsers, and avoiding unverified downloads. As the threat landscape evolves, cybersecurity experts urge crypto holders to stay vigilant against emerging malware designed to exploit digital assets.
Comments
Post a Comment