Microsoft has uncovered a new Remote Access Trojan (RAT) malware, dubbed StilachiRAT, designed for sophisticated data exfiltration and reconnaissance. This malware, while not yet widespread, employs advanced techniques to evade detection and maintain persistence on compromised systems. Microsoft’s proactive disclosure aims to help organizations bolster their defenses.
StilachiRAT Malware’s Capabilities: A Detailed Look
StilachiRAT’s functionality extends beyond typical RAT capabilities. It leverages multiple methods to steal sensitive information, including:
- Credential Harvesting: The malware targets credentials stored in web browsers, specifically focusing on the Google Chrome local state file using Windows APIs.
- Cryptocurrency Wallet Data Theft: StilachiRAT scans for and extracts data from 20 cryptocurrency wallet extensions, including popular options like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet. This directly facilitates crypto theft.
- Clipboard Monitoring: The malware actively monitors clipboard activity, searching for sensitive information such as passwords and cryptocurrency keys.
- System Reconnaissance: StilachiRAT performs extensive system reconnaissance, collecting hardware identifiers, checking for camera presence, identifying active Remote Desktop Protocol (RDP) sessions, and even running GUI-based applications to profile the targeted system. This reconnaissance phase aids in further attacks.
- Persistence and Evasion: StilachiRAT uses the Windows service control manager (SCM) to maintain persistence and employs watchdog threads to ensure automatic reinstallation if its binaries are removed. It also includes anti-forensics capabilities, such as clearing event logs and detecting sandbox environments to hinder analysis. The malware further obfuscates its Windows API calls using checksums resolved dynamically at runtime.
- Command and Control (C2) Functionality: StilachiRAT receives commands from a C2 server, enabling threat actors to execute commands such as system reboots, log clearing, credential theft, application execution, and manipulation of system windows. Additional commands allow for system suspension and modification of Windows registry values.
“In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data,” Microsoft stated.
“Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information.”
The malware’s ability to clone security tokens and impersonate logged-in users allows for lateral movement within a victim’s network, especially concerning RDP servers often hosting administrative sessions.
“The malware obtains the current session and actively launches foreground windows as well as enumerates all other RDP sessions,” Microsoft explained.
“For each identified session, it will access the Windows Explorer shell and duplicate its privileges or security token. The malware then gains capabilities to launch applications with these newly obtained privileges.”
Mitigation Strategies
To minimize the risk of StilachiRAT infection, Microsoft recommends downloading software only from official websites and employing security software capable of blocking malicious domains and email attachments.
A layered security approach, combining multiple security measures, is vital for enterprise businesses in today’s threat landscape. Understanding and mitigating the risks associated with RDP access is also critical. See our article on Top Cyber Threats Facing Enterprise Businesses in 2025 for a broader perspective on current threats.
