Video game mods are spreading new ‘Stealka’ crypto infostealer: Kaspersky

cointelegraphPublished on 2025-12-22Last updated on 2025-12-22

Abstract

A new malware called "Stealka" is targeting cryptocurrency wallets and browser extensions by disguising itself as video game cheats, mods, and software cracks, according to Kaspersky. The infostealer, discovered in November, is distributed through legitimate platforms like GitHub and Google Sites, and sometimes via fake professional-looking websites. It primarily targets Chromium and Gecko-based browsers—including Chrome, Firefox, and Edge—and steals autofill data, login credentials, and payment details. It also specifically targets 115 browser extensions related to crypto wallets, 2FA services, and password managers, including Binance, MetaMask, Trust Wallet, and Coinbase. Kaspersky advises using reliable antivirus software, avoiding pirated software and unofficial mods, and refraining from storing passwords in browsers.

New malware has been discovered that targets crypto wallets and browser extensions while disguising itself as game cheats and mods, says cybersecurity firm Kaspersky.

Kaspersky reported on Thursday that it had uncovered a new infostealer dubbed “Stealka,” which targets Microsoft Windows user data.

Attackers have used the malware, which was discovered in November, to hijack accounts, steal cryptocurrency, and install crypto miners on their victims’ computers while masquerading as video game cracks, cheats, and mods.

The malicious software has been distributed through legitimate platforms like GitHub, SourceForge, and Google Sites, and disguised as game mods, especially for Roblox, and software cracks for applications such as Microsoft Visio.

Sometimes, attackers go a step further, possibly using artificial intelligence tools, and creating entire fake websites that look “quite professional,” said Kaspersky researcher Artem Ushkov.

A fake website pretending to offer Roblox scripts, Source: Kaspersky

Crypto wallets and extensions targeted

Ushkov noted that Stealka has a fairly “extensive arsenal of capabilities,” but is particularly dangerous because its prime target is data from browsers built on the Chromium and Gecko engines.

This puts over 100 different browsers at risk, including popular ones such as Chrome, Firefox, Opera, Yandex, Edge, Brave, and many others.

Related: Hackers are exploiting a JavaScript library to plant crypto drainers

Its primary targets are autofill data, such as sign-in credentials, addresses, and payment card details, but it also targets the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA (two-factor authentication) services.

Some of the 80 crypto wallets targeted include Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Nexus, and Exodus.

Kaspersky also said the messaging apps, including Discord, Telegram, Unigram, Pidgin, and Tox, were also at risk, as were email clients, password managers, gaming clients, and even VPN applications.

Avoid pirated software and game mods

To stay protected, Kaspersky recommended using reliable antivirus software and password managers to avoid storing passwords in browsers. It also cautioned against using pirated software and unofficial game mods.

Cloudflare reported last week that more than 5% of all emails sent worldwide contain malicious content, and more than half of those contained a phishing link, while a quarter of all HTML attachments were found to be malicious.

Magazine: Big questions: Would Bitcoin survive a 10-year power outage?

Related Questions

QWhat is the name of the new infostealer malware discovered by Kaspersky and what does it target?

AThe new infostealer is called 'Stealka'. It primarily targets data from browsers built on Chromium and Gecko engines, including autofill data (sign-in credentials, addresses, payment card details), and the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA services.

QHow is the Stealka malware being distributed to potential victims?

AThe malware is distributed by disguising itself as video game cracks, cheats, and mods. It has been spread through legitimate platforms like GitHub, SourceForge, and Google Sites. Attackers sometimes create entire fake, professional-looking websites to host the malicious software.

QWhich specific types of applications and services are at risk from the Stealka infostealer?

AOver 100 different browsers (Chrome, Firefox, Opera, etc.), 80 crypto wallets (Binance, Coinbase, MetaMask, etc.), messaging apps (Discord, Telegram, etc.), email clients, password managers, gaming clients, and VPN applications are all at risk.

QWhat recommendations does Kaspersky provide to protect against this threat?

AKaspersky recommends using reliable antivirus software, using password managers instead of storing passwords in browsers, and avoiding the use of pirated software and unofficial game mods.

QBeyond game mods, what other type of software is commonly used as a disguise for this malware?

AThe malware is also disguised as software cracks for applications such as Microsoft Visio.

Related Reads

Valuation $1 Billion, Nvidia Doubles Down! Is Prime Intellect Washing Off Its Web3 Label?

Prime Intellect, a decentralized AI infrastructure company founded in 2024, recently announced a $130 million Series A funding round at a $1 billion valuation, with investments from NVIDIA, Intel, and Dell's venture arms. The company claims its annualized recurring revenue (ARR) has exceeded $100 million within a year, serving over 6,000 enterprise clients. Initially rooted in Web3 and decentralized science (DeSci), Prime Intellect has evolved into a full-stack AI training and deployment platform. Its core technology enables distributed training of large language models across globally dispersed, heterogeneous GPU clusters. Key milestones include releasing open-source models like INTELLECT-1 and INTELLECT-3, and launching Prime Intellect Lab, a platform allowing users to train and optimize agentic models without managing their own GPU infrastructure. The company's deep collaboration with hardware giants, particularly NVIDIA, extends beyond investment to joint optimization of software (e.g., integrating NVIDIA Dynamo) and hardware systems. A notable commercial case involves fintech company Ramp using Prime Lab to train a specialized agent, demonstrating the platform's applied value. While achieving rapid commercial growth, Prime Intellect has systematically downplayed its earlier Web3 and token-based incentives from its official documentation, repositioning itself as a mainstream AI infrastructure provider focused on enterprise adoption and potential IPO.

Foresight News8m ago

Valuation $1 Billion, Nvidia Doubles Down! Is Prime Intellect Washing Off Its Web3 Label?

Foresight News8m ago

After 13% Daily Distribution, Why Did SATA Still Fall?

Strive Asset Management's BTC-linked preferred stock SATA transitioned from monthly to daily dividend distributions on June 16, with a current annualized yield of 13%. Despite this change, SATA's price fell approximately 9.9% from June 22 to June 26. The analysis highlights that this decline reflects fundamental credit and structural risks, not simply dividend frequency. SATA represents a perpetual, cumulative preferred equity interest in Strive, not a direct Bitcoin-backed bond. Its dividends depend on Strive's corporate credit and access to capital markets. While Strive's Bitcoin holdings grew from 15,009 to 19,864 BTC between May 12 and June 18, SATA's outstanding shares grew faster (from ~4.96 million to ~7.83 million). Coupled with a drop in BTC price, the pure Bitcoin coverage ratio for SATA's stated amount fell from ~2.44x to ~1.52x. A further ~34.3% decline in BTC to ~$39,416 would bring this coverage to 1.0x. Daily dividends smooth cash flow for investors and reduce dividend-capture trading, but do not eliminate price volatility or credit risk. SATA now trades at a ~12.25% discount to its $100 stated amount, implying a market yield of ~14.81% and a credit spread of ~1,117 bps over SOFR. Key risks include a negative feedback loop if SATA trades below par, making new issuance dilutive; reliance on capital markets for dividend funding despite a ~17-month cash buffer; and the perpetual nature of the security, where dividends can be deferred. In summary, SATA innovates by providing daily income from a Bitcoin-focused corporate balance sheet, but its recent price action underscores its exposure to Bitcoin valuation, company-specific financing risks, and perpetual duration. The market is repricing it from a near-par yield product to a deeply discounted high-risk credit instrument.

marsbit36m ago

After 13% Daily Distribution, Why Did SATA Still Fall?

marsbit36m ago

Unlocking 20%, $125 Million in Pressure, Can PUMP Hold Up?

"Pump.fun Faces Crucial Test with $125M Token Unlock Despite a cooldown in the meme coin market, Pump.fun remains one of Web3's top revenue-generating protocols, earning $28.4 million in the past 30 days. The platform has accumulated approximately $1.05 billion in total revenue from over 12 million tokens created. The protocol now faces its biggest challenge: the first unlock of team and investor tokens. A total of 82.5 billion PUMP tokens (8.25% of total supply, 20.23% of previous circulating supply), valued at around $125 million, have been unlocked. This potential selling pressure is significant compared to the token's 24-hour trading volume of only $28 million. While Pump.fun uses a portion of its revenue to buy back and burn PUMP tokens, creating buy-side pressure, this support has weakened. The buyback rate was reduced from 100% to 50% of net fees in April 2024. In June 2024, monthly buybacks totaled just $9.2 million, an over 80% drop from its peak. At this rate, selling just 7% of the newly unlocked tokens would offset a full month of buybacks. Furthermore, this unlock is only the first batch; team and investors still hold another 247.5 billion locked PUMP tokens, with 240 billion community tokens awaiting a release schedule. Despite these headwinds, PUMP is argued to be a relatively scarce asset in the current market. With a $610 million market cap against $28.4 million in monthly revenue, its valuation is lower than competitors like Hyperliquid. The investment thesis for PUMP is not betting on a single meme coin but on the persistent activity of the meme market and Pump.fun's ability to maintain its position as a key platform. The conclusion suggests that while the unlock tests short-term price resilience, the protocol's underlying revenue strength will determine PUMP's long-term trajectory, potentially making the current dip a viable entry point for long-term accumulation."

Odaily星球日报48m ago

Unlocking 20%, $125 Million in Pressure, Can PUMP Hold Up?

Odaily星球日报48m ago

Aave Withdrawal, TVL Plunges: Where is MegaETH's Valuation Anchor?

MegaETH, once a highly anticipated new blockchain, has seen a dramatic decline in its Total Value Locked (TVL) and token price. According to DefiLlama data, its TVL plummeted nearly 60% in 24 hours, falling to just over $30 million from a May peak, with the Aave V3 protocol withdrawing 80% of its liquidity. The MEGA token price dropped to around $0.048, with a market cap of ~$54 million and a fully diluted valuation (FDV) of ~$480 million. The analysis identifies three key mismatches between MegaETH's valuation and its fundamentals. First, its high FDV contrasts with minimal real usage: low protocol revenue (~$90k/30 days) and few daily active addresses. Second, its DeFi narrative is contradicted by its revenue structure, where a collectible card game (Monster) generates most income, not major DeFi protocols like Aave. Third, initial hype from VC backing and airdrop farming has faded without sustained user adoption or clear applications. The TVL was heavily concentrated in Aave and largely driven by cyclical arbitrage strategies involving stablecoins like USDm and USDe. As the yield for these strategies diminished, funds rapidly exited. The departure of this speculative capital has exposed a lack of substantial, organic ecosystem activity. While the sharp drop could be seen as a correction from inflated expectations, the article suggests MegaETH's valuation lacks a solid foundation. Future price movements may rely on short-term market sentiment rather than genuine improvement in network fundamentals, such as increased real usage, a diversified application ecosystem, and consistent user growth. The situation reflects a broader market trend of demanding clearer value propositions beyond just high TVL figures.

marsbit1h ago

Aave Withdrawal, TVL Plunges: Where is MegaETH's Valuation Anchor?

marsbit1h ago

Trading

Spot
活动图片