Cybersecurity threats in the crypto industry continue to evolve, with the latest menace being the StilachiRAT malware. Discovered by Microsoft researchers, this malicious software specifically targets cryptocurrency wallets within Google Chrome and other web browsers, putting users’ digital assets at risk. As crypto adoption grows, so do the tactics of cybercriminals, making it crucial for investors and users to stay informed and take protective measures.
How StilachiRAT Works
StilachiRAT operates as a Remote Access Trojan (RAT), granting hackers unauthorized control over infected devices. It primarily spreads through phishing emails, malicious downloads, and compromised browser extensions. Once installed, the malware:
- Intercepts browser activity, particularly monitoring wallet-related extensions such as MetaMask, Coinbase Wallet, and Trust Wallet.
- Steals private keys and login credentials, enabling attackers to transfer funds from compromised accounts.
- Logs keystrokes and takes screenshots, capturing sensitive user information for further exploitation.
- Modifies browser settings, injecting malicious scripts that reroute users to fraudulent crypto websites.
Digital wallet targeting
StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser. It accesses the settings in the following registry key and validates if any of the extensions are installed:
\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings
The malware targets the following cryptocurrency wallet extensions:
| Cryptocurrency wallet extension name | Chrome extension identifier |
| Bitget Wallet (Formerly BitKeep) | jiidiaalihmmhddjgbnbgdfflelocpak |
| Trust Wallet | egjidjbpglichdcondbcbdnbeeppgdph |
| TronLink | ibnejdfjmmkpcnlpebklmnkoeoihofec |
| MetaMask (ethereum) | nkbihfbeogaeaoehlefnkodbefgpgknn |
| TokenPocket | mfgccjchihfkkindfppnaooecgfneiii |
| BNB Chain Wallet | fhbohimaelbohpjbbldcngcnapndodjp |
| OKX Wallet | mcohilncbfahbmgdjkbpemcciiolgcge |
| Sui Wallet | opcgpfmipidbgpenhmajoajpbobppdil |
| Braavos – Starknet Wallet | jnlgamecbpmbajjfhmmmlhejkemejdma |
| Coinbase Wallet | hnfanknocfeofbddgcijnmhnfnkdnaad |
| Leap Cosmos Wallet | fcfcfllfndlomdhbehjjcoimbgofdncg |
| Manta Wallet | enabgbdfcbaehmbigakijjabdpdnimlg |
| Keplr | dmkamcknogkgcdfhhbddcghachkejeap |
| Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa |
| Compass Wallet for Sei | anokgmphncpekkhclmingpimjmcooifb |
| Math Wallet | afbcbjpbpfadlkmhmclhkeeodmamcflc |
| Fractal Wallet | agechnindjilpccclelhlbjphbgnobpf |
| Station Wallet | aiifbnbfobpmeekipheeijimdpnlpgpp |
| ConfluxPortal | bjiiiblnpkonoiegdlifcciokocjbhkd |
| Plug | cfbfdhimifdmdehjmkdobpcjfefblkjm |
Who is at Risk?
The primary targets of StilachiRAT are crypto traders, DeFi users, and anyone who interacts with browser-based wallets. Since most users access their wallets through Google Chrome extensions, the malware poses a significant threat by bypassing traditional security measures and directly compromising users’ funds.
How to Protect Your Crypto Assets
To safeguard against StilachiRAT and similar threats, users should:
- Avoid clicking on suspicious links or downloading unverified browser extensions.
- Use hardware wallets instead of browser-based wallets for added security.
- Enable two-factor authentication (2FA) for all crypto-related accounts.
- Regularly update browser security settings and review installed extensions.
- Install reputable anti-malware software to detect and block potential threats.
Conclusion
The rise of StilachiRAT underscores the importance of cybersecurity awareness in the crypto space. As attackers develop more sophisticated methods, users must remain vigilant, adopt strong security practices, and stay informed about emerging threats. Protecting digital assets is no longer just a recommendation—it is a necessity in today’s evolving threat landscape.