StilachiRAT surfaced in November 2024 but does not appear to be widely distributed so far. However, its stealth capabilities make it a potent threat that enterprise security teams need to be aware of and protect against, Microsoft warned this week. "Microsoft continues to monitor information on the delivery vector used in these attacks," the company noted. "Malware like StilachiRAT can be installed through multiple vectors; therefore, it is critical to implement security-hardening measures to prevent the initial compromise."

StilachiRAT is a veritable Swiss Army knife for hackers. It can collect wide-ranging data like OS details, hardware identifiers including BIOS serial numbers, camera presence, and active remote desktop protocol (RDP) sessions from the system on which it is installed.

The malware is enabled for credential theft and can extract and decrypt usernames and passwords stored in Google Chrome. It targets cryptocurrency assets by scanning for as many as 20 wallet extensions within the Chrome browser. The wallets in its target list include Coinbase, Fractal, Phantom, Manta, and Bitget. In addition, the malware continuously collects clipboard content and monitors active applications, specifically targeting sensitive data such as passwords and cryptocurrency keys.

StilachiRAT is stealthy. The malware communicates with its command-and-control (C2) servers through commonly used TCP ports like Port 53, typically associated with DNS traffic, and 443, the standard port for HTTPS traffic. Both are ports that malware tools frequently use to hide malicious activity and receive commands from a C2 server. In the case of StilachiRAT, the commands it can act upon include system reboots, registry manipulation, log clearing, and executing additional malicious payloads.