Millions of people continue to use Chrome browser extensions to store cryptocurrencies, unaware that their assets are at risk

Chrome won’t protect your crypto anymore — and here’s why

03.04.2025

845

6 min

In November 2024, Microsoft’s research department (Threat Intelligence) discovered a new remote access trojan (RAT) called StilachiRAT. It is currently the most advanced virus software that performs extensive reconnaissance of a user’s device. In addition to complete information about the operating system, BIOS serial numbers, active remote access (RDP) sessions, and I/O devices, the trojan targets the Chrome browser because it stores the most important user data.

StilachiRAT monitors the activity of 20 of the most popular extensions in Chrome for crypto asset management, such as MetaMask, Coinbase, Fractal, Fantom, and others. The virus also accesses the clipboard and other running applications to search for private keys.

Microsoft Threat Intelligence notes that StilachiRAT’s functionality makes the virus a serious cybersecurity concern. GetBlock AML Research publishes recommendations that you can follow to increase the security of your assets.

How StilachiRAT is infiltrated

Hackers have a variety of ways in which malicious code infiltrates the devices of potential victims:

  • Phishing. Spam containing malware is actively spread not only through email, but also through messengers and social networks. Hackers often disguise viruses as photos and other media files;
  • Fake extensions. Downloading browser extensions from unreliable sources is highly likely to end up infecting your device, as fake extensions with malicious code are actively distributed on the Internet;
  • Downloading pirated software. Cracked software often contains malicious code;
  • RPD attacks. Hackers regularly conduct attacks on remote access nodes to gain unauthorized access to users’ devices and inject malicious code into them;
  • USB droppers. Attackers have learned how to distribute infected USB drives that infect the device with viruses upon contact;
  • Hidden downloads. When visiting dangerous websites, malicious code is injected into the user’s device, which hackers embed into the website’s source code;
  • Fake applications. Fake copies of popular applications containing viruses are actively distributed on the Internet.

What happens next

After gaining access to the device and the Chrome browser, the Trojan analyzes the system for the presence of installed crypto wallets. This is done by examining the \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings file.

Below is the table of extensions that StilachiRAT is able to detect.

Extension name

Internal extension ID

Bitget Wallet (formerly BitKeep)

jiidiaalihmmhddjgbnbgdfflelocpak

Trust Wallet

egjidjbpglichdcondbcbdnbeeppgdph

TronLink

ibnejdfjmmkpcnlpebklmnkoeoihofec

MetaMask

nkbihfbeogaeaoehlefnkodbefgpgknn

TokenPocket

mfgccjchihfkkindfppnaooecgfneiii

BNB Chain Wallet

fhbohimaelbohpjbbldcngcnapndodjp

OKX Wallet

mcohilncbfahbmgdjkbpemcciiolgcge

Sui Wallet

opcgpfmipidbgpenhmajoajpbobppdil

Braavos – Starknet Wallet

jnlgamecbpmbajjfhmmmlhejkemejdma

Coinbase Wallet

hnfanknocfeofbddgcijnmhnfnkdnaad

Leap Cosmos Wallet

fcfcfllfndlomdhbehjjcoimbgofdncg

Manta Wallet

enabgbdfcbaehmbigakijjabdpdnimlg

Keplr

dmkamcknogkgcdfhhbddcghachkejeap

Phantom

bfnaelmomeimhlpmgjnjophhpkkoljpa

Compass Wallet for Sei

anokgmphncpekkhclmingpimjmcooifb

Math Wallet

afbcbjpbpfadlkmhmclhkeeodmamcflc

Fractal Wallet

agechnindjilpccclelhlbjphbgnobpf

Station Wallet

aiifbnbfobpmeekipheeijimdpnlpgpp

ConfluxPortal

bjiiiblnpkonoiegdlifcciokocjbhkd

Plug

cfbfdhimifdmdehjmkdobpcjfefblkjm

StilachiRAT gains access to all internal browser files, including extensions. The virus uses the Windows API to decrypt the Chrome encryption key that is generated when the browser is installed. As a result, the trojan gains access to the

%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data directory, where user data, including passwords and private keys, is stored.

Trojan structure

StilachiRAT is based on a client-server architecture and is managed remotely. Hackers are able to take full control of the infected device, reboot it, launch any applications, work with the command line, modify the Windows registry, etc. The Trojan client has two server IP addresses embedded in it, which are encrypted. To set up a connection to the server, the virus uses TCP ports: 53, 443, and 16000. After initially infecting the device, StilachiRAT waits two hours before connecting to the server for the first time and reporting a successful attack. This is done to make it harder for antivirus systems to detect the trojan.

StilachiRAT monitors remote access (RDP) sessions to gain access to other devices and pass malicious code to them. To do this, the virus disguises itself as the account of an already infected user by copying Windows Explorer security tokens.

Continuous data collection

StilachiRAT’s data collection algorithm is designed to allow attackers to track every action a user performs on a device. Hackers receive logs about software installation and uninstallation, application activity, active windows and sessions, along with their headers and executable file paths.

StilachiRAT regularly monitors the clipboard, using patterns to search for passwords and cryptographic keys. The virus is capable of not only transmitting this information to the attackers’ server, but also spoofing it in real time.

Disguise

StilachiRAT can disguise itself as executable files (EXE), dynamic link libraries (DLL), and even Windows services. In the case of the latter, the trojan recreates an infected copy of the service, makes appropriate changes to the registry, and restarts it.

StilachiRAT deletes event logs and monitors the presence of malware detection research threads in real time. Using a special algorithm, the trojan slows down devices and antivirus systems.

Signs of infection

StilachiRAT trojan infection can be identified by the following signs:

  • OS problems. The operating system runs slower than usual, often reboots, or freezes;
  • Account activity. Suspicious attempts to log into your accounts or password changes that you did not initiate;
  • High network activity. StilachiRAT actively uses network nodes to communicate with the server and detect other potential victims, so network slowdowns may occur;
  • Unauthorized modifications. Detection of third-party applications and unexplained configuration changes;
  • Data manipulation. Replacing user files or data in the clipboard.

How to remove StilachiRAT from your device

Step №1. Disconnect your internet connection so that the trojan loses connection with the server. This will interrupt the data transfer to the attackers and the possibility of sending commands to the virus.

Step №2. Use antivirus software to run a full and deep scan of your device.

Step №3. Remove all suspicious programs and applications from your device, including browser extensions.

Step №4. Perform a system restore to the point where the device was compromised and there were clear signs of infection.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy