Microsoft security experts have uncovered a new remote access Trojan—StilachiRAT—employing sophisticated evasion, persistence, and data exfiltration techniques. Although its distribution remains limited, the company has opted to publicly disclose indicators of compromise and mitigation strategies to aid cybersecurity professionals in detecting and neutralizing the threat.
First identified in November 2024 by Microsoft Incident Response researchers, StilachiRAT was found embedded within the module WWStartupCtrl64.dll, which houses its core functionalities. Analysis revealed the Trojan’s capability to exfiltrate account credentials, cryptocurrency wallet data, clipboard contents, and detailed system information.
One of StilachiRAT’s defining features is its reconnaissance module, which gathers intelligence on a device’s hardware configuration, the presence of webcams, active Remote Desktop Protocol (RDP) sessions, and running graphical applications. Additionally, the malware monitors active windows and processes, analyzing user behavior in real time.
Once embedded within a system, StilachiRAT primarily focuses on harvesting cryptocurrency wallet credentials. It scans configurations of 20 widely used browser extensions, including Coinbase Wallet, Phantom, Trust Wallet, MetaMask, OKX Wallet, and Bitget Wallet. Furthermore, it extracts stored credentials from Google Chrome and monitors clipboard activity to capture login details and private keys associated with digital assets.
To maintain persistence, StilachiRAT leverages the Windows Service Control Manager (SCM) and creates a “watchdog” process that oversees the activity of malicious binary files, automatically restoring them if deleted. This mechanism ensures that the Trojan remains operational even after removal attempts.
A particularly alarming aspect of StilachiRAT is its ability to track active RDP sessions and extract security tokens, allowing attackers to move laterally across networks using privileged accounts. The malware can collect session data, bring malicious windows to the foreground, and duplicate administrator privileges, enabling it to execute programs with elevated rights.
StilachiRAT also incorporates robust anti-analysis mechanisms. It can purge Windows event logs, detect sandbox environments, and employ dynamic API call resolution to complicate forensic examination. If it identifies execution within an analysis environment, it modifies its behavior to evade detection.
Beyond data collection and stealth operations, the Trojan is capable of executing commands from its command-and-control (C2) server. It can reboot infected machines, manipulate system windows, modify Windows registry settings, suspend device operations, and launch arbitrary applications. Additionally, it supports proxy functionality, enabling attackers to reroute network traffic through compromised systems.
To mitigate the risk of StilachiRAT infections, Microsoft advises users to download software exclusively from official sources, employ up-to-date antivirus solutions, and implement protective measures such as blocking suspicious domains and malicious email attachments.
