Microsoft just uncovered a nasty piece of work lurking in Google Chrome’s extensions. The newly discovered StilachiRAT malware isn’t your average digital pest – it’s a sophisticated remote access trojan with a particular appetite for cryptocurrency wallets. Detected in November 2024, this malware targets more than 20 popular crypto wallet extensions in Chrome, putting users’ digital assets at serious risk.
The list of targeted wallets reads like a who’s who of cryptocurrency management tools. MetaMask, Trust Wallet, Coinbase Wallet, Bitget, TronLink, OKX, Phantom, Manta, and BNB Chain Wallet – they’re all in StilachiRAT’s crosshairs. Not great news if you’re heavily invested in crypto.
This isn’t some amateur hack job. StilachiRAT employs sophisticated techniques to fly under the radar. It installs through a compromised library file, modifies Windows service settings, and even uses watchdog threads to reinstall itself if removed. Talk about persistent!
And it waits two whole hours before connecting to command-and-control servers. Patient little devil.
Once established, the malware gets busy. It extracts and decrypts saved Chrome passwords, monitors your clipboard for sensitive data, and impersonates users by duplicating security tokens. The malware also accesses cryptocurrency configurations through the Chrome registry key which stores wallet extension data. It’s basically you, but evil. And with worse intentions.
The really clever part? StilachiRAT is a master of disguise. It clears system logs, detects sandbox environments, and stops working if it notices analysis tools. It even employs polymorphic techniques to morph into different extensions. Sneaky.
While not yet widespread, security experts warn the threat is significant. The malware accesses Chrome’s local state files, scans for specific wallet extensions, and ships everything off to attacker-controlled servers. This pattern is reminiscent of the attack where Google removed 49 malicious crypto-wallet extensions from the Chrome web store.
The safest approach? Download software only from official sources and make sure your security tools are up to date. Microsoft Defender for Endpoint users should enable network protection. And maybe keep an eye on those crypto balances. Just saying.
