Kaspersky Flags Stealka Malware Targeting Crypto Wallets via Game Mods

Cybersecurity firm Kaspersky has a sophisticated infostealer named Stealka that poses a significant threat to cryptocurrency users. First detected in November 2025, the malware disguises itself as game modifications and pirated software, spreading through trusted platforms including GitHub, SourceForge, and Google Sites.

The malware masquerades as cheats and modifications for popular games like Roblox and Grand Theft Auto V, as well as cracked versions of legitimate software such as Microsoft Visio. Attackers have created professional-looking fake websites to distribute the malware, making it hard for users to identify the threat without robust security measures.

How Stealka Operates

The malware’s primary focus is on browsers built using Chromium and Gecko engines, putting more than 100 diverse browsers at risk. This includes widely used browsers such as Chrome, Firefox, Opera, Edge, Brave, and Yandex Browser. Stealka extracts autofill data including sign-in credentials, addresses, and payment card details from these browsers. This is similar to .

It specifically targets settings and databases of browser extensions, focusing on , password managers, and two-factor authentication services. Among the 80 cryptocurrency wallets targeted are major platforms including Binance, Coinbase, MetaMask, Crypto.com, securePal, Trust Wallet, Phantom, Ton, Nexus, and Exodus.

Stealka searches for highly sensitive information including encrypted Secret keys, viewd phrase data, wallet file paths, and encryption parameters. This stolen data could potentially allow attackers to gain unauthorized access to digital assets and drain cryptocurrency wallets. The malware also targets standalone cryptocurrency wallet applications, accessing configuration files that contain critical security information.

Beyond cryptocurrency-related targets, Stealka compromises messaging applications like Discord and Telegram, email clients, gaming platforms, password management applications, and VPN services. This broad targeting approach enables cybercriminals to potentially hijack accounts and gather intelligence for further attacks.

Kaspersky researcher Artem Ushkov noted that most users targeted by Stealka are based in Russia, though attacks have also been detected in Turkey, Brazil, Germany, and India. Attackers have also been found using compromised accounts on legitimate gaming mod sites to spread the malware further, creating a cycle where hijacked credentials become tools for additional infections.

Protection and Impact

The malware’s potential for causing financial damage is considerable, however, Kaspersky reports that all detected instances were blocked by their security answers. There is currently no confirmed evidence of significant cryptocurrency theft resulting from Stealka infections.

To , Kaspersky recommends several critical measures. Users should avoid downloading pirated software, unofficial game modifications, and cheats from unverified sources, as these remain primary distribution vectors for such malware.

Deploying reliable antivirus software with real-time scanning capabilities is essential. Users should minimize storing sensitive information like passwords and payment details directly in browsers, instead using dedicated password management applications. Two-factor authentication should be enabled on all accounts, with backup codes stored securely outside of browsers or plain text files.

Kaspersky also advises users to exercise caution about which browser extensions they install and to download software only from official, verified sources.