Cyber Security News

Microsoft Warns of StilachiRAT Stealing Remote Desktop Protocol Session Data

Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which poses significant threats to system security by stealing sensitive data, including credentials and cryptocurrency information.

This sophisticated malware was discovered by Microsoft Incident Response researchers in November 2024 and is notable for its advanced evasion techniques and persistence mechanisms.

Key Capabilities of StilachiRAT

StilachiRAT is designed to gather extensive system information, including operating system details, hardware identifiers, and camera presence.

It targets Google Chrome to extract saved credentials and digital wallet data, specifically focusing on cryptocurrency wallet extensions.

The malware establishes communication with command-and-control (C2) servers using TCP ports 53, 443, or 16000, allowing for remote command execution and potential SOCKS-like proxying.

StilachiRATStilachiRAT
Start the malware via SCM

It also monitors Remote Desktop Protocol (RDP) sessions, capturing active window information and impersonating users, which could enable lateral movement within networks.

StilachiRAT employs anti-forensic tactics such as clearing event logs and detecting analysis tools to evade detection.

It uses API-level obfuscation techniques to conceal its use of Windows APIs, making manual analysis more complex.

The malware can launch various commands from the C2 server, including system reboots, log clearing, and application execution.

Its persistence mechanisms involve running as a Windows service or standalone component, with watchdog threads ensuring its self-reinstatement if removed.

Mitigation Strategies

To protect against StilachiRAT, Microsoft recommends implementing robust security measures.

Users should only download software from official or reputable sources and utilize browsers like Microsoft Edge that support SmartScreen for identifying malicious websites.

Enabling features such as Safe Links and Safe Attachments in Office 365 can also help prevent attacks.

Network protection in Microsoft Defender for Endpoint should be activated to block access to malicious domains.

Access user’s files

Additionally, enabling tamper protection and running endpoint detection in block mode can help block malicious artifacts.

Microsoft Defender Antivirus detects StilachiRAT as TrojanSpy:Win64/Stilachi.A, and customers can use Microsoft Defender XDR to monitor for suspicious activity and implement automated response strategies.

Microsoft continues to monitor the evolving threat landscape and advises users to remain vigilant against such sophisticated threats.

The company emphasizes the importance of comprehensive security solutions and regular updates to mitigate the risks associated with malware like StilachiRAT.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

New GPOHound Tool Analyzes Active Directory GPOs for Escalation Risks

Security researchers have released GPOHound, a powerful open-source tool designed to analyze Group Policy Objects (GPOs)…

26 minutes ago

Signal App Used by Trump Associate Targeted in Security Breach

A major security scare has erupted in Washington after reports emerged that a Trump associate…

52 minutes ago

CISA Issues Alert on Langflow Vulnerability Actively Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively exploited…

2 hours ago

Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures

A newly discovered pre-authentication denial-of-service (DoS) vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise networks to…

2 hours ago

Critical Microsoft 0-Click Telnet Vulnerability Enables Credential Theft Without User Action

A critical vulnerability has been uncovered in Microsoft’s Telnet Client (telnet.exe), enabling attackers to steal…

2 hours ago

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems across…

17 hours ago