Cybersecurity teams face a rising threat as Microsoft tracks a powerful new remote access Trojan (RAT) Malware known as StilachiRAT—a tool designed with an arsenal of malicious features aimed at maximizing impact on compromised systems.
This advanced malware doesn’t just steal credentials; it gathers system data, targets cryptocurrency wallets, monitors user activity, and uses sophisticated techniques to evade detection—all while ensuring it stays buried deep inside a victim’s environment.
StilachiRAT Packs a Dangerous Blend of Capabilities
First detected in November 2024, StilachiRAT hasn’t spread widely yet, but Microsoft warns that its stealth and resilience make it a serious risk, especially for enterprises. “Malware like StilachiRAT often slips through multiple vectors, making it critical to harden systems against the initial breach,” Microsoft stressed in its latest alert.
Once active, StilachiRAT behaves like a digital Swiss Army knife for cybercriminals. It collects extensive system data, including operating system details, BIOS serial numbers, active RDP sessions, and even whether a camera is present.
The malware’s credential theft module targets stored usernames and passwords inside Google Chrome. Meanwhile, it hunts for cryptocurrency assets by scanning over 20 browser wallet extensions, including major names like Coinbase, Phantom, Manta, Fractal, and Bitget. StilachiRAT also monitors clipboard content and active applications—constantly searching for passwords, sensitive data, or crypto keys to exfiltrate.
Designed to Evade Detection and Stay Hidden
StilachiRAT uses common TCP ports like 53 and 443—typically linked to DNS and HTTPS traffic—to mask its communication with its command-and-control (C2) servers. This tactic makes malicious activity blend in with normal traffic, making detection harder for defenders.
The malware follows commands that allow attackers to reboot systems, manipulate registries, clear logs, or deploy additional payloads. But perhaps most dangerously, it uses delayed execution, waiting up to two hours after installation before contacting its C2 servers—a clever ploy to bypass initial security scans.
StilachiRAT doesn’t go down easily. It runs as either a Windows service or a standalone component—both protected by a watchdog thread that constantly checks the malware’s files. If defenders remove or disable them, StilachiRAT can restore itself from an internal backup and recreate Windows services using registry manipulation and the Service Control Manager (SCM).
The malware also recognizes when tools like tcpview.exe are running, immediately stopping C2 communication to avoid analysis. It clears event logs, detects sandbox environments, and deploys anti-forensic techniques to erase traces of its activity.
According to Microsoft and cybersecurity experts, StilachiRAT exemplifies the new wave of multifunctional remote access Trojans designed for persistence, theft, and evasion—all within a single package.
“This malware’s ability to monitor clipboards, steal credentials, and restore itself if removed makes it extremely dangerous,” warned Andrew Costis from AttackIQ’s Adversary Research Team. “Its constant search for sensitive data like passwords and crypto keys is deeply concerning.”
Thomas Richards, Principal Consultant at Black Duck, noted that StilachiRAT demonstrates deep knowledge of Windows internals. “It hooks into the system to steal protected secrets and hides its tracks so well that detection becomes the biggest challenge,” Richards explained. “This level of sophistication shows serious investment in malware development.”
Microsoft’s Defense Recommendations
To defend against StilachiRAT, Microsoft recommends a multi-layered strategy:
- Enable Safe Links and Safe Attachments in Office 365 to stop malicious links and files in phishing attacks.
- Run endpoint detection and response (EDR) in block mode for real-time defense.
- Turn on Microsoft Defender’s protections against potentially unwanted applications (PUAs).
- Use web browsers that automatically block malicious websites and suspicious downloads.
