Video game mods are spreading new ‘Stealka’ crypto infostealer: Kaspersky

cointelegraphPublished on 2025-12-22Last updated on 2025-12-22

Abstract

A new malware called "Stealka" is targeting cryptocurrency wallets and browser extensions by disguising itself as video game cheats, mods, and software cracks, according to Kaspersky. The infostealer, discovered in November, is distributed through legitimate platforms like GitHub and Google Sites, and sometimes via fake professional-looking websites. It primarily targets Chromium and Gecko-based browsers—including Chrome, Firefox, and Edge—and steals autofill data, login credentials, and payment details. It also specifically targets 115 browser extensions related to crypto wallets, 2FA services, and password managers, including Binance, MetaMask, Trust Wallet, and Coinbase. Kaspersky advises using reliable antivirus software, avoiding pirated software and unofficial mods, and refraining from storing passwords in browsers.

New malware has been discovered that targets crypto wallets and browser extensions while disguising itself as game cheats and mods, says cybersecurity firm Kaspersky.

Kaspersky reported on Thursday that it had uncovered a new infostealer dubbed “Stealka,” which targets Microsoft Windows user data.

Attackers have used the malware, which was discovered in November, to hijack accounts, steal cryptocurrency, and install crypto miners on their victims’ computers while masquerading as video game cracks, cheats, and mods.

The malicious software has been distributed through legitimate platforms like GitHub, SourceForge, and Google Sites, and disguised as game mods, especially for Roblox, and software cracks for applications such as Microsoft Visio.

Sometimes, attackers go a step further, possibly using artificial intelligence tools, and creating entire fake websites that look “quite professional,” said Kaspersky researcher Artem Ushkov.

A fake website pretending to offer Roblox scripts, Source: Kaspersky

Crypto wallets and extensions targeted

Ushkov noted that Stealka has a fairly “extensive arsenal of capabilities,” but is particularly dangerous because its prime target is data from browsers built on the Chromium and Gecko engines.

This puts over 100 different browsers at risk, including popular ones such as Chrome, Firefox, Opera, Yandex, Edge, Brave, and many others.

Related: Hackers are exploiting a JavaScript library to plant crypto drainers

Its primary targets are autofill data, such as sign-in credentials, addresses, and payment card details, but it also targets the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA (two-factor authentication) services.

Some of the 80 crypto wallets targeted include Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Nexus, and Exodus.

Kaspersky also said the messaging apps, including Discord, Telegram, Unigram, Pidgin, and Tox, were also at risk, as were email clients, password managers, gaming clients, and even VPN applications.

Avoid pirated software and game mods

To stay protected, Kaspersky recommended using reliable antivirus software and password managers to avoid storing passwords in browsers. It also cautioned against using pirated software and unofficial game mods.

Cloudflare reported last week that more than 5% of all emails sent worldwide contain malicious content, and more than half of those contained a phishing link, while a quarter of all HTML attachments were found to be malicious.

Magazine: Big questions: Would Bitcoin survive a 10-year power outage?

Related Questions

QWhat is the name of the new infostealer malware discovered by Kaspersky and what does it target?

AThe new infostealer is called 'Stealka'. It primarily targets data from browsers built on Chromium and Gecko engines, including autofill data (sign-in credentials, addresses, payment card details), and the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA services.

QHow is the Stealka malware being distributed to potential victims?

AThe malware is distributed by disguising itself as video game cracks, cheats, and mods. It has been spread through legitimate platforms like GitHub, SourceForge, and Google Sites. Attackers sometimes create entire fake, professional-looking websites to host the malicious software.

QWhich specific types of applications and services are at risk from the Stealka infostealer?

AOver 100 different browsers (Chrome, Firefox, Opera, etc.), 80 crypto wallets (Binance, Coinbase, MetaMask, etc.), messaging apps (Discord, Telegram, etc.), email clients, password managers, gaming clients, and VPN applications are all at risk.

QWhat recommendations does Kaspersky provide to protect against this threat?

AKaspersky recommends using reliable antivirus software, using password managers instead of storing passwords in browsers, and avoiding the use of pirated software and unofficial game mods.

QBeyond game mods, what other type of software is commonly used as a disguise for this malware?

AThe malware is also disguised as software cracks for applications such as Microsoft Visio.

Related Reads

Aave Withdrawal, TVL Plunges: Where is MegaETH's Valuation Anchor?

MegaETH, once a highly anticipated new blockchain, has seen a dramatic decline in its Total Value Locked (TVL) and token price. According to DefiLlama data, its TVL plummeted nearly 60% in 24 hours, falling to just over $30 million from a May peak, with the Aave V3 protocol withdrawing 80% of its liquidity. The MEGA token price dropped to around $0.048, with a market cap of ~$54 million and a fully diluted valuation (FDV) of ~$480 million. The analysis identifies three key mismatches between MegaETH's valuation and its fundamentals. First, its high FDV contrasts with minimal real usage: low protocol revenue (~$90k/30 days) and few daily active addresses. Second, its DeFi narrative is contradicted by its revenue structure, where a collectible card game (Monster) generates most income, not major DeFi protocols like Aave. Third, initial hype from VC backing and airdrop farming has faded without sustained user adoption or clear applications. The TVL was heavily concentrated in Aave and largely driven by cyclical arbitrage strategies involving stablecoins like USDm and USDe. As the yield for these strategies diminished, funds rapidly exited. The departure of this speculative capital has exposed a lack of substantial, organic ecosystem activity. While the sharp drop could be seen as a correction from inflated expectations, the article suggests MegaETH's valuation lacks a solid foundation. Future price movements may rely on short-term market sentiment rather than genuine improvement in network fundamentals, such as increased real usage, a diversified application ecosystem, and consistent user growth. The situation reflects a broader market trend of demanding clearer value propositions beyond just high TVL figures.

marsbit37m ago

Aave Withdrawal, TVL Plunges: Where is MegaETH's Valuation Anchor?

marsbit37m ago

Trading

Spot
活动图片