Weekly Summary Cyberattacks March 13-18

New StilachiRAT Trojan steals credentials and cryptocurrencies

Microsoft researchers have discovered a new remote access Trojan (RAT) called StilachiRAT, designed to evade detection and steal sensitive information. This malware collects credentials stored in browsers, digital wallet data and clipboard content, in addition to monitoring remote desktop sessions (RDP). It also communicates with command and control (C2) servers to execute commands remotely. StilachiRAT employs advanced techniques to ensure its persistence, hide its activity and avoid forensic analysis, such as manipulating system logs and obfuscating Windows API calls. Although Microsoft has not yet identified the perpetrators or their geographical origin, it warns of its potential danger and recommends reinforcing security measures to prevent infection.  

Phishing campaign spoofing Coinbase 

A phishing campaign is deceiving Coinbase users through fake emails spoofing a mandatory digital wallet migration. The fraudulent message, with the subject line “Migrate to Coinbase Wallet,” states that the platform has been forced to transition to self-custodial wallets due to an alleged court order. Unlike other scams, this attack does not request the user's recovery passphrase, but instead provides an already pre-generated one, controlled by the fraudsters. By setting up a new wallet with this key and transferring funds, the cryptocurrencies are left in the attackers' possession. The email appears legitimate as it is sent through trusted servers such as SendGrid and Akamai, allowing it to evade spam filters. Akamai has stated that it is investigating the incident. Coinbase has warned that it will never send recovery phrases to its customers and recommends ignoring these messages. Those who have fallen for the scam should immediately transfer their funds to a secure wallet before they are stolen.  

Cybercriminals use SocGholish to spread RansomHub ransomware   

Cybersecurity researchers have identified that the SocGholish malware is being used as a gateway for the distribution of the RansomHub ransomware. This malware spreads via compromised legitimate websites, where attackers inject scripts that redirect visitors to fake browser updates. The process starts by injecting code into trusted web pages, allowing criminals to trick users into downloading a malicious ZIP file. Upon execution, the SocGholish loader is activated, which facilitates the installation of backdoors and data exfiltration. It also collaborates with malicious Keitaro TDS servers to filter traffic and avoid detection. The attacks have been reported mostly in the US, affecting government entities and financial sectors. Experts recommend implementing advanced security solutions, network monitoring and reinforcing website protection to mitigate the risk of these intrusions.  

Threat actors abuse CSS to evade detection and track users   

A cybersecurity report has revealed that threat actors are using Cascading Style Sheets (CSS) to evade spam filters and track users without JavaScript. Using techniques such as “hidden text salting,” attackers hide content in emails to avoid detection by employing CSS properties such as text-indent, opacity and clip-path to make text invisible. In addition, attackers leverage CSS rules to track user activity, recording when users open, print or view an email. They can also identify characteristics of the user's system, such as their operating system and mail client, using specific fonts and conditional image loading. To mitigate these attacks, the use of advanced hidden content detection filters and privacy proxies in mail clients, which prevent data extraction via CSS, is recommended.  

CISA warns of Medusa ransomware cyber-attacks   

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), as part of its #StopRansomware initiative, has issued a joint alert with the FBI and the Multi-State Information and Analysis Center (MS-ISAC) about the Medusa ransomware. This group has affected more than 300 critical infrastructure organizations in the U.S. as of February 2025. The most affected sectors include healthcare, education, legal, insurance, technology and manufacturing. Officials recommend strengthening security by mitigating vulnerabilities, segmenting networks and filtering unauthorized traffic. Active since 2021, Medusa stepped up its operations in 2023 with a leak blog to extort money from its victims. It currently operates under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates and offering them payouts of up to $1 million.