{"id":58316,"date":"2025-03-17T17:00:00","date_gmt":"2025-03-17T17:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/"},"modified":"2025-03-17T17:00:00","modified_gmt":"2025-03-17T17:00:00","slug":"stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/","title":{"rendered":"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft"},"content":{"rendered":"<p>In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. Analysis of the StilachiRAT\u2019s <em>WWStartupCtrl64.dll<\/em> module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information.<\/p>\n<p>Microsoft has not yet attributed StilachiRAT to a specific threat actor or geolocation. Based on Microsoft\u2019s current visibility, the malware does not exhibit widespread distribution at this time. However, due to its stealth capabilities and the rapid changes within the malware ecosystem, we are sharing these findings as part of our ongoing efforts to monitor, analyze, and report on the evolving threat landscape.<\/p>\n<p>Microsoft security solutions can detect activities related to attacks that use StilachiRAT. To help defenders protect their network, we are also sharing mitigation guidance to help reduce the impact of this threat, detection details, and hunting queries. Microsoft continues to monitor information on the delivery vector used in these attacks. Malware like StilachiRAT can be installed through multiple vectors; therefore, it is critical to implement security hardening measures to prevent the initial compromise.&nbsp;<\/p>\n<p>This blog presents our detailed findings on all the key capabilities of StilachiRAT, which include:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>System reconnaissance<\/strong>: Collects comprehensive system information, including operating system (OS) details, hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications, allowing detailed profiling of the target system.<\/li>\n<li><strong>Digital wallet targeting<\/strong>: Scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser.<\/li>\n<li><strong>Credential theft<\/strong>: Extracts and decrypts saved credentials from Google Chrome, gaining access to usernames and passwords stored in the browser.<\/li>\n<li><strong>Command-and-control (C2) connectivity<\/strong>: Establishes communication with remote C2 servers using TCP ports 53, 443, or 16000, enabling remote command execution and potentially SOCKS like proxying.<\/li>\n<li><strong>Command execution<\/strong>: Supports a variety of commands from the C2 server, including system reboots, log clearing, registry manipulation, application execution, and system suspension.<\/li>\n<li><strong>Persistence mechanisms<\/strong>: Achieves persistence through the <a href=\"https:\/\/learn.microsoft.com\/windows\/win32\/services\/service-control-manager\">Windows service control manager (SCM)<\/a> and uses watchdog threads to ensure self-reinstatement if removed.<\/li>\n<li><strong>RDP monitoring<\/strong>: Monitors RDP sessions, capturing active window information and impersonating users, allowing for potential lateral movement within networks.<\/li>\n<li><strong>Clipboard and data collection<\/strong>: Continuously monitors clipboard content, actively searching for sensitive data like passwords and cryptocurrency keys, while tracking active windows and applications.<\/li>\n<li><strong>Anti-forensics and evasion<\/strong>: Employs anti-forensic tactics by clearing event logs, detecting analysis tools, and implementing sandbox-evading behaviors to avoid detection.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"technical-analysis-of-key-capabilities\">Technical analysis of key capabilities<\/h2>\n<h3 class=\"wp-block-heading\" id=\"system-reconnaissance\">System reconnaissance<\/h3>\n<p>StilachiRAT gathers extensive system information, including OS details, device identifiers, BIOS serial numbers, and camera presence. Information is collected through the Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces using WMI Query Language (WQL). Below are some of the queries it executes:<\/p>\n<p><strong>Serial number<\/strong><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-44.webp\" alt class=\"wp-image-137971 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-44.webp\"><\/figure>\n<p><strong>Camera<\/strong><\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"552\" height=\"54\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-3.jpg\" alt=\"A black and green text\" class=\"wp-image-137970\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-3.jpg 552w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-3-300x29.jpg 300w\" sizes=\"auto, (max-width: 552px) 100vw, 552px\"><\/figure>\n<p><strong>OS \/ System info (server, model, manufacturer)<\/strong><\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Query3-1024x95.webp\" alt=\"A black text on a white background\" class=\"wp-image-138036 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Query3-1024x95.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Query3-300x28.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Query3-768x71.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Query3.webp 1060w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Query3-1024x95.webp\"><\/figure>\n<p>Additionally, the malware creates a unique identification on the infected device that is derived from the system\u2019s serial number and attackers\u2019 public RSA key. The information is stored in the registry under a CLSID key.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-45.webp\" alt=\"A screenshot of a computer code\" class=\"wp-image-137973 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-45.webp\"><figcaption class=\"wp-element-caption\">Figure 1. Example of a unique ID stored in the registry<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"digital-wallet-targeting\">Digital wallet targeting<\/h3>\n<p>StilachiRAT targets a list of specific cryptocurrency wallet extensions for the Google Chrome browser. It accesses the settings in the following registry key and validates if any of the extensions are installed:<\/p>\n<p><strong>\\SOFTWARE\\Google\\Chrome\\PreferenceMACs\\Default\\extensions.settings<\/strong><\/p>\n<p>The malware targets the following cryptocurrency wallet extensions:<\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"24\">\n<tr readability=\"4\">\n<td><strong>Cryptocurrency wallet extension name<\/strong><\/td>\n<td><strong>Chrome extension identifier<\/strong><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Bitget Wallet (Formerly BitKeep)<\/td>\n<td>jiidiaalihmmhddjgbnbgdfflelocpak<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Trust Wallet<\/td>\n<td>egjidjbpglichdcondbcbdnbeeppgdph<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>TronLink<\/td>\n<td>ibnejdfjmmkpcnlpebklmnkoeoihofec<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>MetaMask (ethereum)<\/td>\n<td>nkbihfbeogaeaoehlefnkodbefgpgknn<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>TokenPocket<\/td>\n<td>mfgccjchihfkkindfppnaooecgfneiii<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>BNB Chain Wallet<\/td>\n<td>fhbohimaelbohpjbbldcngcnapndodjp<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>OKX Wallet<\/td>\n<td>mcohilncbfahbmgdjkbpemcciiolgcge<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Sui Wallet<\/td>\n<td>opcgpfmipidbgpenhmajoajpbobppdil<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Braavos \u2013 Starknet Wallet<\/td>\n<td>jnlgamecbpmbajjfhmmmlhejkemejdma<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Coinbase Wallet<\/td>\n<td>hnfanknocfeofbddgcijnmhnfnkdnaad<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Leap Cosmos Wallet<\/td>\n<td>fcfcfllfndlomdhbehjjcoimbgofdncg<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Manta Wallet<\/td>\n<td>enabgbdfcbaehmbigakijjabdpdnimlg<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Keplr<\/td>\n<td>dmkamcknogkgcdfhhbddcghachkejeap<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Phantom<\/td>\n<td>bfnaelmomeimhlpmgjnjophhpkkoljpa<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Compass Wallet for Sei<\/td>\n<td>anokgmphncpekkhclmingpimjmcooifb<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Math Wallet<\/td>\n<td>afbcbjpbpfadlkmhmclhkeeodmamcflc<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Fractal Wallet<\/td>\n<td>agechnindjilpccclelhlbjphbgnobpf<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Station Wallet<\/td>\n<td>aiifbnbfobpmeekipheeijimdpnlpgpp<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>ConfluxPortal<\/td>\n<td>bjiiiblnpkonoiegdlifcciokocjbhkd<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Plug<\/td>\n<td>cfbfdhimifdmdehjmkdobpcjfefblkjm<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"credential-theft\">Credential theft<\/h3>\n<p>StilachiRAT extracts Google Chrome\u2019s <em>encryption_key<\/em> from the local state file in a user\u2019s directory. However, since the key is encrypted when Chrome is first installed, it uses Windows APIs that rely on current user\u2019s context to decrypt the master key. This allows access to the stored credentials in the password vault. The stored credentials are extracted from the following locations:<\/p>\n<ul class=\"wp-block-list\">\n<li><em>%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Local State<\/em> \u2013 stores Chrome\u2019s configuration data, including the encrypted key.<\/li>\n<li><em>%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data<\/em> \u2013 stores entered user credentials.<\/li>\n<\/ul>\n<p>The \u201cLogin Data<strong>\u201d<\/strong> stores information using an SQLite database and the malware retrieves credentials using the following query:<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"51\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-4.jpg\" alt=\"A black text on a white background\" class=\"wp-image-137974\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-4.jpg 624w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-4-300x25.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-4-615x51.jpg 615w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"command-and-control-c2\">Command-and-control (C2)<\/h3>\n<p>There are two configured addresses for the C2 server \u2013 one is stored in obfuscated form and the other is an IP address converted to its binary format (instead of a regular string):<\/p>\n<ul class=\"wp-block-list\">\n<li>app.95560[.]cc<\/li>\n<li>194.195.89[.]47<\/li>\n<\/ul>\n<p>The communications channel is established using TCP ports 53, 443, or 16000, selected randomly. Additionally, the malware checks for presence of <em>tcpview.exe<\/em> and will not proceed if one is present. It also delays initial connection by two hours, presumably to evade detection. Once connected, a list of active windows is sent to the server. Additional technical findings regarding C2 communications functionality are listed in the section below.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-46.webp\" alt=\"A screenshot of a computer program\" class=\"wp-image-137975 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-46.webp\"><figcaption class=\"wp-element-caption\">Figure 2. The malware delays connection to evade detection<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"persistence-mechanisms\">Persistence mechanisms<\/h3>\n<p>StilachiRAT can be launched both as a Windows service or a standalone component. In both cases, there is a mechanism in place to ensure the malware isn\u2019t removed.<\/p>\n<p>A watchdog thread monitors both the EXE and dynamic link library (DLL) files used by the malware by periodically polling for their presence. If found absent, the files can be recreated from an internal copy obtained during initialization. Lastly, the Windows service component can be recreated by modifying the relevant registry settings and restarting it through the SCM.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-47.webp\" alt=\"A screenshot of a computer program\" class=\"wp-image-137977 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-47.webp\"><figcaption class=\"wp-element-caption\">Figure 3. Monitoring for the presence of EXE and DLL files<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-4-start-the-mlaware-via-scm.webp\" alt=\"A computer screen shot of a program code\" class=\"wp-image-138020 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-4-start-the-mlaware-via-scm.webp\"><figcaption class=\"wp-element-caption\">Figure 4. Start the malware via SCM<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"rdp-monitoring\">RDP monitoring<\/h3>\n<p>StilachiRAT monitors RDP sessions by capturing foreground window information and duplicating security tokens to impersonate users. This is particularly risky on RDP servers hosting administrative sessions as it could enable lateral movement within networks.<\/p>\n<p>The malware obtains the current session and actively launches foreground windows as well as enumerates all other RDP sessions. For each identified session, it will access the Windows Explorer shell and duplicate its privileges or security token. The malware then gains capabilities to launch applications with these newly obtained privileges.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-5-enumerate-rdp-sessions.webp\" alt=\"A screen shot of a computer program\" class=\"wp-image-138021 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-5-enumerate-rdp-sessions.webp\"><figcaption class=\"wp-element-caption\">Figure 5. Enumerate RDP sessions<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-6-launch-process-another-user.webp\" alt=\"A screen shot of a computer code\" class=\"wp-image-138022 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-6-launch-process-another-user.webp\"><figcaption class=\"wp-element-caption\">Figure 6. Launch process as another user<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"data-collection\">Data collection<\/h3>\n<p>StilachiRAT collects a variety of user data, including software installation records and active applications. It monitors active GUI windows, their title bar text, and file location, and sends this information to the C2 server, potentially allowing attackers to track user behavior.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-48.webp\" alt=\"A screenshot of a computer\" class=\"wp-image-137980 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-48.webp\"><figcaption class=\"wp-element-caption\">Figure 7. Registry path for installed software<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-8-read-title-app-window.webp\" alt=\"A computer code with colorful text\" class=\"wp-image-138024 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-8-read-title-app-window.webp\"><figcaption class=\"wp-element-caption\">Figure 8. Read the title of an application window<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"clipboard-monitoring\">Clipboard monitoring<\/h3>\n<p>StilachiRAT has a functionality that is responsible for monitoring clipboard data. Specifically, the malware can periodically read the clipboard, extract text based on search expressions, and then exfiltrate this data. Clipboard monitoring is continuous, with targeted searches for sensitive information such as passwords, cryptocurrency keys, and potentially personal identifiers.<\/p>\n<p>The list below includes the regular search expressions used to extract certain credentials. These are associated with the Tron Cryptocurrency blockchain that is popular in Asia, especially in China.<\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"6.5\">\n<tr readability=\"3\">\n<td><strong>Credential<\/strong><strong><\/strong><\/td>\n<td><strong>&nbsp;Regular expression to extract credential&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>&nbsp;TRX Address<\/td>\n<td>&nbsp;`\\bT[0-9a-zA-Z]{33}\\b`&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>&nbsp;TRX Key&nbsp;&nbsp;&nbsp;&nbsp;<\/td>\n<td>&nbsp;`\\b(0x)?[0-9a-fA-F]{64}\\b`&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>&nbsp;TRX Pass&nbsp;&nbsp;&nbsp;<\/td>\n<td>&nbsp;`^\\s*\\b([0-9]*[.]*[a-wy-z][a-z]{2,}[ \\t]*\\b){12}\\s*(\\n\\$)`<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>&nbsp;TRX Pass&nbsp;&nbsp;&nbsp;<\/td>\n<td>&nbsp;`^\\s*\\b([0-9]*[.]*?[a-wy-z][a-z]{2,}\\s*\\b){12}\\s*(\\n\\$)`<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-9-access-clipboard-data.webp\" alt=\"A screen shot of a computer code\" class=\"wp-image-138025 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-9-access-clipboard-data.webp\"><figcaption class=\"wp-element-caption\">Figure 9. Access clipboard data<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-10-access-clipboard.webp\" alt=\"A computer screen shot of a black background with white text\" class=\"wp-image-138026 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-10-access-clipboard.webp\"><figcaption class=\"wp-element-caption\">Figure 10. Modify clipboard data<\/figcaption><\/figure>\n<p>The same search expressions are then used to iterate files in the following locations:<\/p>\n<ul class=\"wp-block-list\">\n<li>%USERPROFILE%\\Desktop<\/li>\n<li>%USERPROFILE%\\Recent<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-11-access-users-files.webp\" alt=\"A screen shot of a computer code\" class=\"wp-image-138027 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-11-access-users-files.webp\"><figcaption class=\"wp-element-caption\">Figure 11. Access user\u2019s files<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"anti-forensic-measures\">Anti-forensic measures<\/h3>\n<p>StilachiRAT displays anti-forensic behavior by clearing event logs and checking certain system conditions to evade detection. This includes looping checks for analysis tools and sandbox timers that prevent its full activation in virtual environments commonly used for malware analysis.<\/p>\n<p>Additionally, Windows API calls are obfuscated in multiple ways and a custom algorithm is used to encode many text strings and values. This significantly slows down analysis time since extrapolating higher level logic and code design becomes a more complex effort.<\/p>\n<p>The malware employs API-level obfuscation techniques to impede manual analysis, specifically by concealing its use of Windows APIs (e.g., RegOpenKey()). Instead of referencing API names directly, it encodes them as checksums that are resolved dynamically at runtime. While this is a common technique in malware, the authors have introduced additional layers of obfuscation.<\/p>\n<p>Precomputed API checksums are stored in multiple lookup tables, each masked with an XOR value. During launch, the malware selects the appropriate table based on the hashed API name, applies the correct XOR mask to decode the value, and dynamically resolves the corresponding Windows API function. The resolved function pointer is then cached, but with an additional XOR mask applied, preventing straightforward memory scans from identifying API references.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-12-example-function-calls-resolve-sleep-allocconsole.webp\" alt=\"A screen shot of a computer\" class=\"wp-image-138028 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-12-example-function-calls-resolve-sleep-allocconsole.webp\"><figcaption class=\"wp-element-caption\">Figure 12. Example of two function calls that resolve **Sleep()** and **AllocConsole()** Windows APIs<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-13-function-initiates-api-resolution.webp\" alt=\"A computer screen shot of text\" class=\"wp-image-138029 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-13-function-initiates-api-resolution.webp\"><figcaption class=\"wp-element-caption\">Figure 13. Function that initiates API resolution by identifying the correct lookup table for the checksum<\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"commands-launched-from-the-c2-server\">Commands launched from the C2 server<\/h3>\n<p>StilachiRAT can launch various commands received from the C2 server. These commands include system reboot, log clearing, credential theft, executing applications, and manipulating system windows. Additionally, it can suspend the system, modify Windows registry values, and enumerate open windows, indicating a versatile command set for both espionage and system manipulation. The C2 server\u2019s command structure assigns specific numbers to what commands it will initiate. The following section presents details on the said commands.<\/p>\n<h4 class=\"wp-block-heading\" id=\"07-dialog-box\">07 \u2013 Dialog box<\/h4>\n<p>Uses the Windows API function <em>ShowHTMLDialogEx()<\/em> to display a dialog box with rendered HTML contents from a supplied URL.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-14-display-message-box.webp\" alt=\"A screen shot of a computer program\" class=\"wp-image-138030 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-14-display-message-box.webp\"><figcaption class=\"wp-element-caption\">Figure 14. Display a message box<\/figcaption><\/figure>\n<h4 class=\"wp-block-heading\" id=\"08-log-clearing\">08 \u2013 Log clearing<\/h4>\n<p>Given an event log type, the relevant Windows APIs are used to open and then clear the log entries.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-15-clear-event-logs.webp\" alt=\"A screen shot of a computer\" class=\"wp-image-138031 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-15-clear-event-logs.webp\"><figcaption class=\"wp-element-caption\">Figure 15. Clear event logs<\/figcaption><\/figure>\n<h4 class=\"wp-block-heading\" id=\"09-system-reboot\">09 \u2013 System reboot<\/h4>\n<p>Adjusts its own executing privileges to enable system shutdown and uses an undocumented Windows API to perform the action.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-16-shutdown-pc.webp\" alt=\"A computer screen shot of text\" class=\"wp-image-138032 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-16-shutdown-pc.webp\"><figcaption class=\"wp-element-caption\">Figure 16. Shutdown the PC<\/figcaption><\/figure>\n<h4 class=\"wp-block-heading\" id=\"13-network-sockets\">13 \u2013 Network sockets<\/h4>\n<p>Appears to contain capability to receive a network address from C2 server and establish a new outbound connection.<\/p>\n<h4 class=\"wp-block-heading\" id=\"14-tcp-incoming\">14 \u2013 TCP incoming<\/h4>\n<p>Accepts an incoming network connection on the supplied TCP port.<\/p>\n<h4 class=\"wp-block-heading\" id=\"15-terminate\">15 \u2013 Terminate<\/h4>\n<p>If there\u2019s an open network connection, then close it and disable the Windows service controlling this process. This appears to be the self-removal (uninstall) command.<\/p>\n<h4 class=\"wp-block-heading\" id=\"16-initiate-application\">16 \u2013 Initiate application<\/h4>\n<p>The malware creates a console window and initiates a command to launch the program provided by the C2 operator using the <em>WinExec()<\/em> API.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-17-initiate-program.webp\" alt=\"A black background with white text\" class=\"wp-image-138034 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/Figure-17-initiate-program.webp\"><figcaption class=\"wp-element-caption\">Figure 17. Initiate a program<\/figcaption><\/figure>\n<h4 class=\"wp-block-heading\" id=\"19-enumerate-windows\">19 \u2013 Enumerate Windows<\/h4>\n<p>Iterates all windows of the current desktop to look for a requested title bar text. This might allow the operator to access specific GUI applications and their contents, both onscreen and clipboard.<\/p>\n<h4 class=\"wp-block-heading\" id=\"26-suspend\">26 \u2013 Suspend<\/h4>\n<p>Uses the <em>SetSuspendState()<\/em> API to put the system into either a suspended (sleep) state or hibernation.<\/p>\n<h4 class=\"wp-block-heading\" id=\"30-chrome-credentials\">30 \u2013 Chrome credentials<\/h4>\n<p>Launches the earlier mentioned functionality to steal Google Chrome passwords.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mitigations\">Mitigations<\/h2>\n<p>Malware like StilachiRAT can be installed through various vectors. The following mitigations can help prevent this type of malware from infiltrating the system and reduce the attack surface:<\/p>\n<ul class=\"wp-block-list\">\n<li>In some cases, RATs can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources.<\/li>\n<li>Encourage users to use Microsoft Edge and other web browsers that support&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/web-protection-overview\">SmartScreen<\/a>, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.<\/li>\n<li>Turn on&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/safe-links-about\">Safe Links<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/safe-attachments-about\">Safe Attachments<\/a>&nbsp;for Office 365. In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Microsoft Teams, and supported Office 365 apps. Safe Attachments&nbsp;provides an additional layer of protection for email attachments that have already been scanned by&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-office-365\/anti-malware-protection-about\">anti-malware protection in Exchange Online Protection (EOP)<\/a>.<\/li>\n<li>Enable&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/enable-network-protection?view=o365-worldwide\">network protection<\/a>&nbsp;in Microsoft Defender for Endpoint to prevent applications or users from accessing malicious domains and other malicious content on the internet. You can&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/evaluate-network-protection\">audit network protection<\/a>&nbsp;in a test environment to view which apps would be blocked before enabling network protection.<\/li>\n<\/ul>\n<p>General hardening guidelines:<\/p>\n<ul class=\"wp-block-list\">\n<li>Ensure that&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection\">tamper protection<\/a>&nbsp;is enabled in Microsoft Dender for Endpoint.<\/li>\n<li>Run endpoint detection and response in&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/edr-in-block-mode\">block mode<\/a>&nbsp;so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.<\/li>\n<li>Configure&nbsp;<a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/automated-investigations\">investigation and remediation<\/a>&nbsp;in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus\">Turn on Potentially unwanted applications (PUA) protection in block mode<\/a>&nbsp;in Microsoft Defender Antivirus. PUA are a category of software that can cause your machine to run slowly, display unexpected ads, or install other software that might be unexpected or unapproved.<\/li>\n<li>Turn on&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/cloud-protection-microsoft-defender-antivirus\">cloud-delivered protection<\/a>&nbsp;in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.<\/li>\n<li>Turn on Microsoft Defender Antivirus&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/configure-real-time-protection-microsoft-defender-antivirus\">real-time protection<\/a>.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h2>\n<p>Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<p>Customers with provisioned access can also use <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-antivirus\">Microsoft Defender Antivirus<\/h3>\n<p>Microsoft Defender Antivirus detects this threat as the following malware:<\/p>\n<ul class=\"wp-block-list\">\n<li>TrojanSpy:Win64\/Stilachi.A<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-endpoint\">Microsoft Defender for Endpoint<\/h3>\n<p>The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.<\/p>\n<ul class=\"wp-block-list\">\n<li>A process was injected with potentially malicious code<\/li>\n<li>Process hollowing detected<\/li>\n<li>Suspicious service launched<\/li>\n<li>Possible theft of passwords and other sensitive web browser information<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h2>\n<p>Security Copilot customers can use the standalone experience to <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\">create their own prompts<\/a> or run the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\">pre-built promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n<ul class=\"wp-block-list\">\n<li>Incident investigation<\/li>\n<li>Microsoft User analysis<\/li>\n<li>Threat actor profile<\/li>\n<li>Threat Intelligence 360 report based on MDTI article<\/li>\n<li>Vulnerability impact assessment<\/li>\n<\/ul>\n<p>Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h2>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h3>\n<p>Microsoft Defender XDR customers can run the following query to find related activity in their networks:<\/p>\n<p><strong>Look for suspicious outbound network connections<\/strong><\/p>\n<p>Monitor network traffic for malicious activity caused by remote access trojans by focusing on identifying unusual outbound connections, irregular port activity, and suspicious data exfiltration patterns that may indicate RAT presence.<\/p>\n<p>Outbound ports associated with common data transfer protocols such as HTTP\/HTTPS (port 80\/443), SMB (port 445), and DNS (port 53) or less common ports like 16000 used for specific applications and services for network communications might indicate such activity.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"23\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nlet domains = dynamic(['domain1', 'domain2', 'domain3']);\nDeviceNetworkEvents\n| where RemotePort in (53, 443, 16000)\n| where Protocol == \"Tcp\"\n| where RemoteUrl has_any (domains)\n| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessCommandLine, ActionType, DeviceId, LocalIP, RemoteUrl, InitiatingProcessFileName\n<\/pre>\n<\/div>\n<p><strong>Look for signs of persistence<\/strong><\/p>\n<p>The malware can be run both as a Windows Service or a standalone component. To identify persistence and suspicious services, monitor for the following event IDs:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Event ID 7045<\/strong> \u2013 a new service was installed on the system. Monitor for suspicious services.<\/li>\n<li><strong>Event ID 7040<\/strong> \u2013 start type of a service is changed (boot, on-request). Boot may be a vector for the RAT to persist during a system reboot. On request indicates that the process must request the SCM to start the service.<\/li>\n<li>Correlated with <strong>Event ID 4697<\/strong> \u2013 a service was installed on the system (Security log)<\/li>\n<\/ul>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"13\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nDeviceEvents\n|where ActionType == \u201cServiceInstalled\u201d\n| project Timestamp, DeviceId,ActionType, FileName, FolderPath, InitiatingProcessCommandLine\n<\/pre>\n<\/div>\n<p><strong>Look for anti-forensic behavior<\/strong><\/p>\n<p>To identify potential event log clearing, monitor for the following event IDs:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Event ID 1102<\/strong> (Security log)<\/li>\n<li><strong>Event ID 104<\/strong> (System log)<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h3>\n<p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain\/IP\/Hash indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n<p>Additionally, Sentinel users can use the following query to detect when the security event log has been cleared, a potential indicator of an attempt to erase system evidence.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"24\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nSecurityEvent | where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity | extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) | extend AccountName = tostring(split(Account, @'\\')[1]), AccountNTDomain = tostring(split(Account, @'\\')[0])\n<\/pre>\n<\/div>\n<p>Sentinel users can also use the following query to detect service installations or modifications in service settings, which may indicate potential persistence mechanisms used by attackers.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"16\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nEvent \/\/ 7045: A service was installed in the system \/\/ 7040: A service setting has been changed | where Source == \"Service Control Manager\" | where EventID in ( '7045', '7040') | parse EventData with * 'ServiceName\"&gt;' ServiceName \"&lt;\" * 'ImagePath\"&gt;' ImagePath \"&lt;\" * | parse EventData with * 'AccountName\"&gt;' AccountName \"&lt;\" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"1\">\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb<\/td>\n<td>SHA-256<\/td>\n<td>WWStartupCtrl64.dll<\/td>\n<\/tr>\n<tr>\n<td>194.195.89[.]47 &nbsp;<\/td>\n<td>IP address<\/td>\n<td>C2<\/td>\n<\/tr>\n<tr>\n<td>app.95560[.]cc &nbsp;<\/td>\n<td>Domain name<\/td>\n<td>C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/x.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/x.com\/MsftSecIntel<\/a>.<\/p>\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/hhttps:\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n<p>Microsoft is committed to delivering comprehensive customer experience through various Microsoft Offerings. Our approach goes beyond traditional support by focusing on detection, prevention, and in-depth mitigation to help customers quickly respond to security incidents and build resiliency. <strong>Want to know how to Build a More Secure Tomorrow<\/strong>? Check our <a href=\"https:\/\/info.microsoft.com\/AM-SCITL-CNTNT-FY25-07Jul-19-Building-a-more-secure-tomorrow-with-Microsoft-Unified-SRGCM12617_LP01-Registration---Form-in-Body.html\">Unified and Security eBook<\/a> and visit <a href=\"https:\/\/aka.ms\/Unified\">https:\/\/aka.ms\/Unified<\/a><\/p>\n<h2 class=\"wp-block-heading\"><\/h2>\n<p><em><strong>Dmitriy Pletnev<\/strong> and <strong>Daria Pop<\/strong><br \/>Microsoft Incident Response<\/em><\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/17\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes the malware\u2019s key behaviors, capabilities, and the potential risk posed to systems and users.<br \/>\nThe post StilachiRAT analysis: From system reconnaissance to cryptocurrency theft appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":58317,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[244],"class_list":["post-58316","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-remote-code-execution"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>StilachiRAT analysis: From system reconnaissance to cryptocurrency theft 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-17T17:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-44.webp\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft\",\"datePublished\":\"2025-03-17T17:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/\"},\"wordCount\":3084,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp\",\"keywords\":[\"remote code execution\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/\",\"name\":\"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp\",\"datePublished\":\"2025-03-17T17:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp\",\"width\":551,\"height\":37},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"remote code execution\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/remote-code-execution\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/","og_locale":"en_US","og_type":"article","og_title":"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-03-17T17:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/03\/image-44.webp","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft","datePublished":"2025-03-17T17:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/"},"wordCount":3084,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp","keywords":["remote code execution"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/","url":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/","name":"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp","datePublished":"2025-03-17T17:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/03\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft.webp","width":551,"height":37},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"remote code execution","item":"https:\/\/www.threatshub.org\/blog\/tag\/remote-code-execution\/"},{"@type":"ListItem","position":3,"name":"StilachiRAT analysis: From system reconnaissance to cryptocurrency theft"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58316"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58316\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/58317"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}