Microsoft has discovered a new remote access trojan (RAT) named StilachiRAT, which employs sophisticated techniques to evade detection, maintain persistence, and extract sensitive data. While the malware has not yet reached widespread distribution, Microsoft has shared indicators of compromise (IoCs) and mitigation strategies to help security teams reduce its impact. StilachiRAT is designed to steal credentials stored in browsers, digital wallet information, clipboard data, and system details, making it particularly dangerous for cryptocurrency users and organizations with sensitive data. It specifically targets 20+ cryptocurrency wallet extensions, including Coinbase Wallet, Metamask, OKX Wallet, and Trust Wallet, among others, by scanning their configuration files. Additionally, it collects system reconnaissance data, such as hardware identifiers, camera presence, active RDP sessions, and running applications, to profile its victims. The RAT ensures persistence by leveraging the Windows Service Control Manager (SCM) and employs watchdog threads that monitor its own processes, ensuring it gets reinstalled automatically if terminated. Furthermore, it enables attackers to monitor active RDP sessions, clone security tokens, and execute commands, allowing lateral movement within compromised networks. StilachiRAT is also highly evasive, capable of clearing event logs, detecting sandbox environments, and dynamically resolving API calls at runtime using encoded checksums to obstruct malware analysis. Once deployed, it allows attackers to execute various commands from a command-and-control (C2) server, such as rebooting the system, modifying registry values, stealing credentials, suspending the machine, clearing logs, and enabling SOCKS-like proxying for remote access. Given its capabilities, this malware presents a serious threat to individuals and organizations, especially those reliant on RDP for administrative tasks. Microsoft recommends downloading software only from trusted sources, using security solutions that block malicious domains and attachments, and monitoring for signs of compromise to mitigate the risks associated with StilachiRAT.

‍