Microsoft this week shared details on StilachiRAT, an evasive and persistent piece of malware that enables cybercriminals to steal sensitive data from compromised systems.

The tech giant’s incident response team first spotted StilachiRAT (the name was given by Microsoft) in November 2024. While it currently does not appear to be widely distributed, the company wanted to warn users and organizations.

Microsoft has yet to link StilachiRAT, which has been described as a remote access trojan (RAT), to any known threat group or a specific country.

The company has not specified how the RAT is being distributed, but noted that such threats can be installed through multiple attack vectors, including trojanized software, malicious websites, and email. 

Once it has been deployed on a device, the malware collects information about the system to enable a detailed profiling. StilachiRAT then scans the system for configuration data associated with 20 different cryptocurrency wallet Chrome extensions. 

The RAT extracts usernames and passwords stored in Chrome and continuously monitors clipboard content for valuable information such as credentials and cryptocurrency keys.

The malware can also monitor RDP sessions, which could allow the attacker to move laterally within the compromised network. 

According to Microsoft, StilachiRAT can execute various commands, including to reboot the system, clear logs, manipulate registry entries, and execute applications. 

For persistence the malware uses the Windows service control manager and watchdog threads to ensure that it’s restored in case of removal. 

The RAT also packs anti-forensic and evasion capabilities. 

“StilachiRAT displays anti-forensic behavior by clearing event logs and checking certain system conditions to evade detection. This includes looping checks for analysis tools and sandbox timers that prevent its full activation in virtual environments commonly used for malware analysis,” Microsoft explained.

“Additionally, Windows API calls are obfuscated in multiple ways and a custom algorithm is used to encode many text strings and values. This significantly slows down analysis time since extrapolating higher level logic and code design becomes a more complex effort,” it added. “The malware employs API-level obfuscation techniques to impede manual analysis, specifically by concealing its use of Windows APIs.”

Related: 11 State-Sponsored APTs Exploiting LNK Files for Espionage, Data Theft

Related: ClickFix Widely Adopted by Cybercriminals, APT Groups

Related: DeepSeek’s Malware-Generation Capabilities Put to Test