If you’re into crypto, here’s a fresh security alert you can’t ignore. Microsoft has uncovered a sneaky new malware called StilachiRAT, a remote access trojan (RAT) designed to steal sensitive data—including login credentials, clipboard content, and, most importantly, your crypto wallet info.
Back in November 2024, security researchers stumbled upon StilachiRAT. This malware hides inside a file called WWStartupCtrl64.dll and is packed with sneaky tricks to avoid getting caught. Microsoft hasn’t pinned it on any particular hacker group yet, but one thing is clear: it’s built to steal as much sensitive info as possible.
Here’s what it goes after:
- Passwords saved in your browser
- Crypto wallet details (yep, those funds aren’t safe if this thing gets in)
- Clipboard data, meaning if you copy-paste passwords or wallet addresses, it snatches them
- System details like BIOS serial numbers, whether your webcam is active, and even any ongoing Remote Desktop (RDP) sessions
And it doesn’t make a scene while doing this. Instead, StilachiRAT silently pulls all this info using Windows Management Instrumentation (WMI) queries. It stays under the radar, so you won’t even know it’s hiding.
Crypto Wallets at Risk
The RAT specifically targets a range of Chrome wallet extensions, including:
- MetaMask
- Trust Wallet
- Coinbase Wallet
- TronLink
- OKX Wallet
- Phantom and many more.
This isn’t just a passive info-stealer. StilachiRAT is built for more, supporting at least 10 dangerous commands, including:
- Wiping event logs to cover its tracks
- Shutting down the system via hidden Windows APIs
- Killing network connections
- Running specific applications
- Searching for certain open windows on the desktop
- Stealing saved Chrome passwords
- Forcing the system into sleep or hibernation mode
And to make things worse, it constantly checks if it’s being analyzed, refusing to run properly in security testing environments.
Meanwhile, cybersecurity researchers at Palo Alto Networks’ Unit 42 have flagged three other concerning malware samples:
- An IIS backdoor that executes hidden commands through HTTP requests.
- A bootkit that installs a modified GRUB 2 bootloader—one that, weirdly enough, plays Dixie through the PC speaker after rebooting (either a prank or a distraction tactic).
- A Windows implant of ProjectGeass, a powerful post-exploitation tool built in C++.
StilachiRAT is just another reminder that online threats are always evolving, especially for crypto users. To stay safe, make sure your security software is always up to date, and be extra careful about what you download or click—random links and unknown sources can be risky.
Also Read: Cathie Wood Warns Memecoins Are Likely to Become “Worthless”
