New Trojan Threatens MetaMask, Phantom, and Coinbase Wallets
A newly identified malware strain, StilachiRAT, is actively targeting popular crypto wallet extensions such as MetaMask, Phantom, and Coinbase Wallet, according to Microsoft security researchers.
The malware, first discovered in November 2024, has been refined to specifically scan for crypto wallet extensions within Google Chrome, extract credentials, and monitor clipboard activity for private keys and passwords.
How StilachiRAT Steals Crypto Data
Unlike traditional phishing attacks, StilachiRAT operates in the background, continuously scanning for wallet-related information stored in browsers. It is designed to decrypt saved credentials and steal login details, allowing attackers to gain unauthorized access to user accounts.
Microsoft’s research indicates that the malware focuses heavily on the Tron network, which is widely used in China and Southeast Asia. The malware has been found targeting various wallets, including Trust Wallet, TronLink, OKX Wallet, Keplr, Sui Wallet, and Math Wallet.
Cybercriminal Tactics and Social Engineering Attacks
Threat intelligence analyst Aaron Walton from cybersecurity firm Expel highlighted how attackers are using social engineering tactics to distribute StilachiRAT. Methods include fake job offers, fraudulent downloads, and deceptive CAPTCHA pop-ups to trick users into installing the malware.
Security experts also noted that StilachiRAT wipes event logs and employs anti-forensic techniques, making detection difficult. However, Microsoft believes that its distribution remains limited for now.
As cyber threats targeting crypto users continue to evolve, Microsoft is urging wallet providers and security firms to proactively monitor and enhance defenses against remote access trojans like StilachiRAT.
