- StilachiRAT is a stealthy malware that steals credentials, crypto wallets, and system data while evading detection.
- It can execute remote commands, wipe event logs, and even shut down infected systems.
- Palo Alto Networks uncovered additional threats, including an IIS backdoor, a bootkit, and a post-exploitation framework.
Microsoft is sounding the alarm on a newly uncovered remote access trojan (RAT) dubbed StilachiRAT—an elusive piece of malware built to dodge detection, dig in deep, and siphon sensitive data straight from infected systems.
What is StilachiRAT?
According to the Microsoft Incident Response team, StilachiRAT is designed to steal everything from browser-stored credentials to digital wallet info, clipboard data, and detailed system information. The malware, first spotted in November 2024, operates via a DLL module called “WWStartupCtrl64.dll.”
So far, no specific hacker group or nation has been linked to its development. Microsoft hasn’t confirmed how it spreads, but common delivery methods for such trojans include phishing emails, malicious downloads, or exploited vulnerabilities. The bottom line? Organizations need to stay ahead of the game with strong security protocols.
How Does StilachiRAT Work?
This RAT goes all-in on system reconnaissance. It collects OS details, BIOS serial numbers, camera presence, active Remote Desktop Protocol (RDP) sessions, and even running GUI applications. Using Component Object Model (COM) and WMI Query Language (WQL), it methodically pulls system data without raising red flags.
One of its more alarming features is its focus on cryptocurrency wallets. StilachiRAT scans for wallet extensions in Google Chrome, specifically targeting major players like MetaMask, Trust Wallet, Coinbase Wallet, Phantom, TronLink, and several others. Once inside, it doesn’t just steal credentials—it also lifts clipboard content, watches RDP sessions, and beams the stolen data back to its remote command-and-control (C2) server.
A Multi-Purpose Espionage Tool
The malware’s C2 connection isn’t just for data theft; it allows remote operators to execute commands in real-time. Microsoft has identified at least 10 different functions StilachiRAT can perform:
- Display an HTML-rendered dialog box from a supplied URL (Command 07)
- Wipe event logs to erase forensic traces (Command 08)
- Shut down the system using an undocumented Windows API (Command 09)
- Establish outbound or inbound network connections (Commands 13 & 14)
- Terminate active network connections (Command 15)
- Launch applications remotely (Command 16)
- Scan open windows for specific title bar text (Command 19)
- Put the system into sleep or hibernation mode (Command 26)
- Steal Chrome passwords outright (Command 30)
To evade detection, StilachiRAT employs anti-forensic techniques, including event log clearing and sandbox evasion—constantly checking for analysis tools before fully activating.
The Bigger Cybersecurity Picture
This disclosure comes as Palo Alto Networks’ Unit 42 reports three more unusual malware strains circulating in the wild:
- An IIS backdoor that parses incoming HTTP requests and executes embedded commands.
- A bootkit that installs a GRUB 2 bootloader through an unsecured kernel driver (potentially a prank, as it plays Dixie through the PC speaker upon reboot).
- A Windows implant of ProjectGeass, a sophisticated post-exploitation framework.
These discoveries highlight the increasing sophistication of cyber threats. As attackers refine their techniques, organizations must stay proactive—because once malware like StilachiRAT burrows in, it doesn’t let go easily.
