Chrome won’t protect your crypto anymore — and here’s why
Millions of people continue to use Chrome browser extensions to store cryptocurrencies, unaware that their assets are at risk
03.04.2025
845
6 min
0
In November 2024, Microsoft’s research department (Threat Intelligence) discovered a new remote access trojan (RAT) called StilachiRAT. It is currently the most advanced virus software that performs extensive reconnaissance of a user’s device. In addition to complete information about the operating system, BIOS serial numbers, active remote access (RDP) sessions, and I/O devices, the trojan targets the Chrome browser because it stores the most important user data.
StilachiRAT monitors the activity of 20 of the most popular extensions in Chrome for crypto asset management, such as MetaMask, Coinbase, Fractal, Fantom, and others. The virus also accesses the clipboard and other running applications to search for private keys.
Microsoft Threat Intelligence notes that StilachiRAT’s functionality makes the virus a serious cybersecurity concern. GetBlock AML Research publishes recommendations that you can follow to increase the security of your assets.
How StilachiRAT is infiltrated
Hackers have a variety of ways in which malicious code infiltrates the devices of potential victims:
- Phishing. Spam containing malware is actively spread not only through email, but also through messengers and social networks. Hackers often disguise viruses as photos and other media files;
- Fake extensions. Downloading browser extensions from unreliable sources is highly likely to end up infecting your device, as fake extensions with malicious code are actively distributed on the Internet;
- Downloading pirated software. Cracked software often contains malicious code;
- RPD attacks. Hackers regularly conduct attacks on remote access nodes to gain unauthorized access to users’ devices and inject malicious code into them;
- USB droppers. Attackers have learned how to distribute infected USB drives that infect the device with viruses upon contact;
- Hidden downloads. When visiting dangerous websites, malicious code is injected into the user’s device, which hackers embed into the website’s source code;
- Fake applications. Fake copies of popular applications containing viruses are actively distributed on the Internet.
What happens next
After gaining access to the device and the Chrome browser, the Trojan analyzes the system for the presence of installed crypto wallets. This is done by examining the \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings file.
Below is the table of extensions that StilachiRAT is able to detect.
|
Extension name |
Internal extension ID |
|
Bitget Wallet (formerly BitKeep) |
jiidiaalihmmhddjgbnbgdfflelocpak |
|
Trust Wallet |
egjidjbpglichdcondbcbdnbeeppgdph |
|
TronLink |
ibnejdfjmmkpcnlpebklmnkoeoihofec |
|
MetaMask |
nkbihfbeogaeaoehlefnkodbefgpgknn |
|
TokenPocket |
mfgccjchihfkkindfppnaooecgfneiii |
|
BNB Chain Wallet |
fhbohimaelbohpjbbldcngcnapndodjp |
|
OKX Wallet |
mcohilncbfahbmgdjkbpemcciiolgcge |
|
Sui Wallet |
opcgpfmipidbgpenhmajoajpbobppdil |
|
Braavos – Starknet Wallet |
jnlgamecbpmbajjfhmmmlhejkemejdma |
|
Coinbase Wallet |
hnfanknocfeofbddgcijnmhnfnkdnaad |
|
Leap Cosmos Wallet |
fcfcfllfndlomdhbehjjcoimbgofdncg |
|
Manta Wallet |
enabgbdfcbaehmbigakijjabdpdnimlg |
|
Keplr |
dmkamcknogkgcdfhhbddcghachkejeap |
|
Phantom |
bfnaelmomeimhlpmgjnjophhpkkoljpa |
|
Compass Wallet for Sei |
anokgmphncpekkhclmingpimjmcooifb |
|
Math Wallet |
afbcbjpbpfadlkmhmclhkeeodmamcflc |
|
Fractal Wallet |
agechnindjilpccclelhlbjphbgnobpf |
|
Station Wallet |
aiifbnbfobpmeekipheeijimdpnlpgpp |
|
ConfluxPortal |
bjiiiblnpkonoiegdlifcciokocjbhkd |
|
Plug |
cfbfdhimifdmdehjmkdobpcjfefblkjm |
StilachiRAT gains access to all internal browser files, including extensions. The virus uses the Windows API to decrypt the Chrome encryption key that is generated when the browser is installed. As a result, the trojan gains access to the
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data directory, where user data, including passwords and private keys, is stored.
Trojan structure
StilachiRAT is based on a client-server architecture and is managed remotely. Hackers are able to take full control of the infected device, reboot it, launch any applications, work with the command line, modify the Windows registry, etc. The Trojan client has two server IP addresses embedded in it, which are encrypted. To set up a connection to the server, the virus uses TCP ports: 53, 443, and 16000. After initially infecting the device, StilachiRAT waits two hours before connecting to the server for the first time and reporting a successful attack. This is done to make it harder for antivirus systems to detect the trojan.
StilachiRAT monitors remote access (RDP) sessions to gain access to other devices and pass malicious code to them. To do this, the virus disguises itself as the account of an already infected user by copying Windows Explorer security tokens.
Continuous data collection
StilachiRAT’s data collection algorithm is designed to allow attackers to track every action a user performs on a device. Hackers receive logs about software installation and uninstallation, application activity, active windows and sessions, along with their headers and executable file paths.
StilachiRAT regularly monitors the clipboard, using patterns to search for passwords and cryptographic keys. The virus is capable of not only transmitting this information to the attackers’ server, but also spoofing it in real time.
Disguise
StilachiRAT can disguise itself as executable files (EXE), dynamic link libraries (DLL), and even Windows services. In the case of the latter, the trojan recreates an infected copy of the service, makes appropriate changes to the registry, and restarts it.
StilachiRAT deletes event logs and monitors the presence of malware detection research threads in real time. Using a special algorithm, the trojan slows down devices and antivirus systems.
Signs of infection
StilachiRAT trojan infection can be identified by the following signs:
- OS problems. The operating system runs slower than usual, often reboots, or freezes;
- Account activity. Suspicious attempts to log into your accounts or password changes that you did not initiate;
- High network activity. StilachiRAT actively uses network nodes to communicate with the server and detect other potential victims, so network slowdowns may occur;
- Unauthorized modifications. Detection of third-party applications and unexplained configuration changes;
- Data manipulation. Replacing user files or data in the clipboard.
How to remove StilachiRAT from your device
Step №1. Disconnect your internet connection so that the trojan loses connection with the server. This will interrupt the data transfer to the attackers and the possibility of sending commands to the virus.
Step №2. Use antivirus software to run a full and deep scan of your device.
Step №3. Remove all suspicious programs and applications from your device, including browser extensions.
Step №4. Perform a system restore to the point where the device was compromised and there were clear signs of infection.
Useful material?
Research
One and the same cryptocurrency address received two completely opposite assessments from different analytics systems: from an ordinary gambling service to an extremely severe criminal offense. This story has become the starting point for a broader conversation about what the scientific standards of blockchain analysis should look like — and why errors in systems like these can shape the fates of real people.
Jul 1, 2026
Research
The blockchain has helped uncover the ties between cryptocurrency fundraising campaigns, exchangers in Syria, and intermediaries in several countries around the world. A telltale pattern has emerged in which the same addresses were used across multiple donation drives at once
Jun 24, 2026
Research
Four Iranian cryptocurrency exchanges accounted for roughly 78% of all digital asset volume tied to the country in 2025. They have now become the focal point of the largest U.S. sanctions campaign against Iran's cryptocurrency infrastructure.
Jun 5, 2026
Research
A financial system is already up and running on public blockchains, with loans, analogues of U.S. Treasuries, and automated capital markets. More than $551 billion has flowed through DeFi protocols — but most of that activity has nothing to do with the real economy and everything to do with the speculative build-up of risk.
May 29, 2026
Research
Around 97% of Chinese suppliers of chemicals used to make fentanyl accept payment in cryptocurrency. The volume of such transactions continues to grow alongside the global market for synthetic drugs
May 22, 2026
Research
For the first time, the new law makes blockchain analytics an officially mandatory tool of financial oversight in the United States. Authorities will also gain the power to restrict transactions with foreign crypto services tied to money-laundering risks.
May 20, 2026
Telegram
Twitter