Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease

News
By published

StilachiRAT has slowly wormed its way into systems worldwide

Trojan
(Image credit: wk1003mike / Shutterstock)
  • Microsoft is warning about a brand new RAT called Stilachi
  • It is good at hiding and persisting, while stealing sensitive data
  • StilachiRAT allows threat actors to run commands on endpoints, too

A new Remote Access Trojan (RAT) has been spotted using “sophisticated techniques” to hide and persist while it steals people’s sensitive information, experts have warned.

Researchers at Microsoft said the malware is still too “young” to be attributed to any specific actor, or threat campaign.

"In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data," Microsoft said.

Crypto in the crosshairs

The company did not explain how the RAT is distributed, but once it’s installed on a device, it maintains persistence through the Windows service control manager (SCM). It uses watchdog threats to track the malware’s binaries and recreate them if they’re removed, essentially reinstalling the malware if necessary.

As for evasion and anti-forensics, it can clear event logs, and look for signs that it’s running in a sandbox environment. If you even trick it to run in a sandbox, its Windows API calls are still encoded as “checksums that are resolved dynamically at runtime,” which makes analysis that much harder.

For features, StilachiRAT doesn’t stray much from your usual Remote Access Trojan. It targets credentials stored in the browser, digital wallet information, data stored in the clipboard, and system information (hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications to profile targeted systems).

StilachiRAT is particularly interested in cryptocurrency wallets. It can scan the configuration info of 20 wallet extensions such as Phantom, MetaMask, Trust Wallet, and many others.

But the tool can do much more than “just” steal data - it allows for remote command execution, granting the attackers the ability to restart the device, run applications, and more. There are even commands built to "suspend the system, modify Windows registry values, and enumerate open windows."

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Russian flag on a laptop
Hackers are using Russian domains to launch complex document-based phishing attacks
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Ransomware
Microsoft spies a new and worrying macOS malware strain
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
A white padlock on a dark digital background.
A new and dangerous keylogger is on the loose - here's how to stay safe
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Latest in Security
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
3d rendering of a submarine power cable on the seabed
Subsea internet cables can now ‘listen’ for sabotage using irregular pulses of light
Dark Web monitoring
A worrying critical security flaw in Apache Tomcat could let hackers take over servers with ease
Latest in News
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
GIMP 3.0 interface from the website
Our favorite free photo editor finally got the update it deserves - and these are the top 5 features designers should know about
A still from a promo image for the second season of Severance showing the character Mark holding blue balloons in a hallway
Macrodata Refiners rejoice, Google has rewarded us with a virtual balloon party ahead of the Severance season 2 finale
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
John Loeffler holding the Ryzen 7 7800X3D
Great news! The best gaming CPU ever made is finally available for it's original MSRP again
More about security
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

These fake GitHub "security alerts" could actually let hackers hijack your account
Dark Web monitoring

A worrying critical security flaw in Apache Tomcat could let hackers take over servers with ease
A still from a promo image for the second season of Severance showing the character Mark holding blue balloons in a hallway

Macrodata Refiners rejoice, Google has rewarded us with a virtual balloon party ahead of the Severance season 2 finale
See more latest
Most Popular
A still from a promo image for the second season of Severance showing the character Mark holding blue balloons in a hallway
Macrodata Refiners rejoice, Google has rewarded us with a virtual balloon party ahead of the Severance season 2 finale
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
GIMP 3.0 interface from the website
Our favorite free photo editor finally got the update it deserves - and these are the top 5 features designers should know about
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
MOZA sim accessories
The cutting-edge controllers that'll make your sim feel incredibly real
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
AMD RX 9070 GPU models
We won't be seeing any Radeon RX 9000 series GPUs from MSI - AMD prioritizes other board partners instead
John Loeffler holding the Ryzen 7 7800X3D
Great news! The best gaming CPU ever made is finally available for it's original MSRP again
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
Verdansk returns to Warzone in a matter of weeks and I’m dreaming of the return of two iconic weapons - here’s what you need to know about its release date and what to expect