Microsoft security researchers have identified a new malware threat targeting popular crypto wallet extensions including MetaMask and Phantom.
The StilachiRAT remote access trojan was first discovered in November 2024 and has since been deeply analyzed to reveal the depth of this threat. Specifically, it can target crypto wallets.
MetaMask, Coinbase, Phantom, Keplr and more could be at risk as the RAT is able to scan for cryptocurrency wallet extensions in the Google Chrome browser. It can then extract and decrypt saved credentials to access usernames and passwords.
The information gathering RAT can continuously monitor clipboard content, as it actively hunts for sensitive information like cryptocurrency keys and passwords.
Lazarus Infects New Batch of JavaScript Packages With Crypto Stealing Malware: Researchers
In a new attack, North Korea's Lazarus group has been linked to six fresh malicious npm packages. Discovered by The Socket Research Team, the latest attack tries to deploy backdoors to steal credentials. Lazarus is the infamous North Korean hacker group that's been linked to the recent $1.4 billion Bybit hack, $41 million hack of crypto casino Stake, and a $27 million hack of crypto exchange CoinEx, and countless others in the crypto industry. The group was also initially linked to the $235 mil...
The researchers shared examples of the regular expressions the RAT uses to scan clipboard contents for credentials, noting that they're seeking information related to the Tron network—which is particularly popular in China.
Microsoft says that StilachiRAT targets specific wallets including: Bitget Wallet, Trust Wallet, TronLink, MetaMask, TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos - Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Kepler, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, ConfluxPortal, and Plug.
Aaron Walton, Threat Intel Analyst at Expel, told Decrypt: "Infostealing malware, leverages social engineering to trick users into downloading and executing malicious code. These lures range from everything from a download, to a job offer, or even a fake-captcha that interrupts a user while web browsing.
YouTubers Blackmailed Into Promoting Crypto Mining Malware: Kaspersky
Criminals are blackmailing YouTube creators into adding malicious crypto-mining malware to their videos, according to research from cybersecurity firm Kaspersky. The hackers have been taking advantage of the growth in Russia of Windows Packet Divert drivers, which enable internet users to circumvent geographic restrictions. Kaspersky’s systems have detected these drivers on 2.4 million devices over the past six months, with each successive month since September witnessing an increase in download...
"There is big money to be made and the tactics criminals are using can bypass basic security and even business level defenses."
StilachiRAT appears to be using anti-forensic behaviors, including clearing event logs and evading detection.
The Microsoft Incident Response team says: "Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time. However, due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape."
Edited by Stacy Elliott.
