Insights, news, education and announcements from PolySwarm

StilachiRAT

Written by The Hivemind | Mar 24, 2025 3:54:35 PM

Executive Summary

StilachiRAT is a newly discovered remote access trojan (RAT) that employs advanced evasion techniques to conduct system reconnaissance, steal credentials, and target cryptocurrency wallets. 

Key Takeaways

  • StilachiRAT conducts extensive system profiling, targeting OS details, hardware identifiers, and active RDP sessions.  
  • The malware extracts credentials from Google Chrome and scans for 20 cryptocurrency wallet extensions.  
  • It leverages Windows APIs and TCP ports for command-and-control (C2) communication.
  • Anti-forensic measures, including log clearing and system suspension, enhance its ability to evade detection.

What is StilachiRAT?

In November 2024, Microsoft uncovered a formidable new player in the malware landscape: StilachiRAT. This remote access trojan, embedded within the WWStartupCtrl64.dll module, showcases a blend of sophisticated techniques designed to infiltrate systems, maintain persistence, and exfiltrate high-value data. Microsoft recently reported on StilachiRAT. 

StilachiRAT’s primary strength lies in its reconnaissance capabilities. Upon execution, it gathers comprehensive system information, including operating system details, hardware identifiers, and the presence of cameras. It also monitors active Remote Desktop Protocol (RDP) sessions and running GUI applications, providing attackers with a detailed blueprint of the compromised environment. This profiling enables tailored exploitation, making it a potent tool for espionage and lateral movement within networks.

A key focus of StilachiRAT is financial gain through cryptocurrency theft. The malware targets configuration data from 20 Google Chrome cryptocurrency wallet extensions, including widely used platforms like MetaMask, Coinbase Wallet, and Trust Wallet. By extracting this data, attackers can potentially access victims’ digital assets, a lucrative vector given the rising value of cryptocurrencies. Additionally, StilachiRAT employs Windows APIs to extract and decrypt credentials stored in Chrome, exposing usernames and passwords to unauthorized access.

The trojan’s C2 infrastructure further amplifies its threat profile. It establishes communication with remote C2 servers over TCP ports 53, 443, or 16000, enabling attackers to issue commands remotely. These commands range from system reboots and log clearing to application execution and window manipulation. The malware can also suspend systems using the SetSuspendState() API or modify registry values, ensuring persistence and control. This versatility underscores its dual role in espionage and system disruption.

Evasion is a cornerstone of StilachiRAT’s design. It clears event logs to erase traces of its activity and leverages undocumented Windows APIs for stealthy operations, such as system shutdowns. Its ability to enumerate open windows and interact with GUI applications enhances its capacity to harvest sensitive data, including clipboard contents, without raising immediate alarms. PolySwarm analysts consider StilachiRAT to be an emerging threat. 

IOCs

PolySwarm has a sample of StilachiRAT.

 

394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb

 

You can use the following CLI command to search for all StilachiRAT samples in our portal:

$ polyswarm link list -f StilachiRAT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post