Microsoft Corp. has identified a new remote access trojan (RAT) named StilachiRAT, which targets cryptocurrency wallets within Google Chrome browser extensions. The malware, first detected in November 2024, has the capability to steal a wide range of sensitive data, including credentials stored in the browser and digital wallet information. It specifically targets 20 different wallet extensions, including popular ones such as MetaMask, Coinbase Wallet, Trust Wallet, and OKX Wallet. StilachiRAT operates through the WWStartupCtrl64.dll module, which allows it to extract and decrypt saved credentials, monitor clipboard activity for sensitive information like passwords and cryptocurrency keys related to the Tron network, and execute remote commands to steal data. The malware also monitors active Remote Desktop Protocol (RDP) sessions on Windows systems. To evade detection, StilachiRAT employs sophisticated techniques such as clearing system event logs, checking for analysis environments before executing its commands, and utilizing anti-forensic behaviors. Microsoft has not yet attributed StilachiRAT to any known threat actor or geographic region, and its distribution appears to be limited at this stage.