Post

StilachiRAT: A Sophisticated Threat in the Cyber Landscape

Posted
By Tom Grant
2 min read
StilachiRAT: A Sophisticated Threat in the Cyber Landscape

TL;DR

  • Microsoft discovered a new remote access trojan (RAT) named StilachiRAT, which employs advanced techniques for stealth, persistence, and data theft.
  • The malware targets browser credentials, digital wallet data, and system information, making it a significant cybersecurity threat.

New Sophisticated Remote Access Trojan: StilachiRAT

Microsoft researchers have uncovered a new remote access trojan (RAT) dubbed StilachiRAT. This sophisticated malware is designed for stealth, persistence, and data theft. Discovered in November 2024, StilachiRAT is equipped with advanced functionalities to steal credentials from browsers, digital wallet data, clipboard content, and system information. The malware’s evasion methods make it a formidable threat in the cyber landscape1.

Advanced Evasion Techniques

StilachiRAT employs several sophisticated techniques to avoid detection:

  • Persistence: The RAT maintains persistence through the Windows service control manager (SCM) and uses watchdog threads to reinstate itself if removed2.
  • Data Theft: It scans configuration data from numerous cryptocurrency wallet extensions to steal digital assets. Targeted extensions include Bitget Wallet, Trust Wallet, TronLink, MetaMask, and more.
  • Credential Extraction: StilachiRAT can extract Chrome’s encrypted encryption_key and decrypt it using Windows APIs to access stored credentials. It retrieves login data from SQLite databases and sends it to the attacker.
  • Communication: The malware communicates with a C2 server via obfuscated domains and binary-formatted IPs, using random TCP ports (53, 443, or 16000). It delays the connection by two hours and terminates if tcpview.exe is present.
  • Monitoring: StilachiRAT monitors RDP sessions for active windows and user impersonation, enabling lateral movement.

Detection Evasion

StilachiRAT evades detection through various methods:

  • Log Clearing: The malware clears logs and checks for analysis tools.
  • API Obfuscation: It encodes API names as checksums, dynamically resolving them at runtime while using XOR-masked lookup tables to hinder analysis.
  • C2 Commands: The RAT executes various C2 commands, including system reboot, log clearing, credential theft, application execution, and registry modifications. It can display dialog boxes, establish or accept network connections, terminate itself, suspend the system, and enumerate open windows.

Mitigation and Indicators of Compromise

Microsoft’s report includes mitigations along with indicators of compromise (IoCs) to help organizations detect and defend against StilachiRAT.

Additional Resources

For further insights, check:

Conclusion

StilachiRAT represents a significant advancement in malware sophistication, highlighting the need for robust cybersecurity measures. Organizations must stay vigilant and implement comprehensive security strategies to protect against such threats.

References

  1. (2025). “StilachiRAT Analysis: From System Reconnaissance to Cryptocurrency Theft”. Microsoft Security Blog. Retrieved 2025-03-18. ↩︎

  2. (2025). “Service Control Manager”. Microsoft Learn. Retrieved 2025-03-18. ↩︎

Cybersecurity, Malware
cybersecurity remote access trojan stilachirat
This post is licensed under CC BY 4.0 by the author.