Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
How to stay safe from the new StilachiRAT malware

Microsoft Incident Response has identified a new remote access trojan (RAT) that is capable of stealing a wide variety of information from your computer from passwords and cryptocurrency wallet information to operating system details, device identifiers, and even camera presence data.
The most sophisticated – and perhaps the most alarming – feature of this new malware is its ability to use watchdog threads to ensure self-reinstatement if removed. Basically, it can reinstall itself.
As reported by BleepingComptuer, the StilachiRAT is used to steal digital wallet data from multiple cryptocurrency wallets including Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, Bitget Wallet and up to 20 others.
The malware also has sophisticated reconnaissance abilities and is able to steal information from an infected PC including credentials stored in your browser, clipboard data, system information, hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications.
StilachiRAT can extract credentials from Google Chrome's local state file using Windows APIs, monitor clipboard activity for password information and crypto keys and track active windows or applications. It uses the Windows service control manager (SCM) to maintain persistence and reinstalls it automatically when the malware notices its binaries are no longer active.
At the same time, StilachiRAT can monitor active RDP sessions by impersonating logged in users. It does this by capturing information from foreground windows then cloning security tokens. This allows attackers to move laterally through a victim’s network after the malware has been deployed on RDP servers that usually host admin sessions.
StilachiRAT can also evade detection and has anti-forensics features, such as the ability to clear event logs and check for signs that its running in a sandbox in order to block malware analysis attempts. If its tricked into running in a sandbox, the RAT’s API calls are encoded to slow down further analysis.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
The StilachiRAT malware was first discovered back in November of last year. In a new blog post though, Microsoft says it has not yet reached widespread distribution, and that it doesn't have any information on a specific threat actor or a particular location of origin.
How to stay safe from StilachiRAT
In order to avoid infection from this RAT, Microsoft’s advice is pretty simple: Make sure to only download software from official websites and use security software that can block malicious domains and email attachments.
That means you should install the best antivirus software on your PC and make sure you're keeping it up to date. You also want to know the common signs of phishing attacks such as misspelled domain names or email signatures, attachments from unknown senders, or messages that contain a sense of urgency or even threats of a legal nature that encourage you to click or download something.
Never click on something that you aren't expecting or don't know what it is or who sent it and when in doubt, contact the sender in a separate message or email. If a domain name or URL seems suspicious then go to it directly by typing it into the browser window instead of by clicking on a link. You can also use a VPN to protect your privacy further and a password manager to keep your passwords safe.
New malware strains like this one are created everyday but by practicing good cyber hygiene and staying up to date on the latest attack methods, you can avoid falling victim to StilachiRAT and other online threats.
More from Tom's Guide
- 5 iPhone settings you should always shut off — because they’re a security nightmare
- New MassJacker malware is hijacking digital wallets to steal large sums from users
- FBI issues warning over free online file converters that infect your PC with malware





Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.

















