Microsoft security researchers have identified a new malware threat targeting popular crypto wallet extensions including MetaMask and Phantom.
The StilachiRAT remote access trojan was first discovered in November 2024 and has since been deeply analyzed to reveal the depth of this threat. Specifically, it can target crypto wallets.
MetaMask, Coinbase, Phantom, Keplr and more could be at risk as the RAT is able to scan for cryptocurrency wallet extensions in the Google Chrome browser. It can then extract and decrypt saved credentials to access usernames and passwords.
The information gathering RAT can continuously monitor clipboard content, as it actively hunts for sensitive information like cryptocurrency keys and passwords.
The researchers shared examples of the regular expressions the RAT uses to scan clipboard contents for credentials, noting that they’re seeking information related to the Tron network—which is particularly popular in China.
Microsoft says that StilachiRAT targets specific wallets including: Bitget Wallet, Trust Wallet, TronLink, MetaMask, TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Kepler, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, ConfluxPortal, and Plug.
Aaron Walton, Threat Intel Analyst at Expel, told Decrypt: “Infostealing malware, leverages social engineering to trick users into downloading and executing malicious code. These lures range from everything from a download, to a job offer, or even a fake-captcha that interrupts a user while web browsing.
“There is big money to be made and the tactics criminals are using can bypass basic security and even business level defenses.”
StilachiRAT appears to be using anti-forensic behaviors, including clearing event logs and evading detection.
The Microsoft Incident Response team says: “Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time. However, due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape.”
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
