Cybersecurity firm Kaspersky has issued a warning about a new and active malware campaign targeting cryptocurrency users. Dubbed "Stealka," this infostealer disguises itself as video game mods, cheats, and software cracks for popular titles like Roblox and Grand Theft Auto V (GTAV), as well as applications such as Microsoft Visio.
The campaign, active since at least November 2025, is distributed through legitimate platforms like GitHub, SourceForge, and Google Sites, exploiting their trustworthiness to reach a broad audience. In some cases, attackers create sophisticated fake websites, potentially using AI tools, to appear professional and deceive users.
Once a user downloads and executes the malicious file, Stealka activates. Its primary function is to steal sensitive data from browsers built on Chromium and Gecko engines, which includes popular options like Chrome, Firefox, Edge, Opera, Yandex Browser, and Brave. The malware harvests autofill data such as login credentials, saved addresses, and payment card details.
Most critically for crypto users, Stealka specifically targets the settings and databases of 115 browser extensions related to cryptocurrency wallets and two-factor authentication services. Kaspersky estimates that at least 80 wallet applications are at risk, as the malware can extract sensitive configuration data containing private keys, seed phrases, wallet file paths, and encryption parameters. Named wallets include Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, Nexus, and Exodus. The malware also targets messaging apps like Discord and Telegram, email clients, password managers, and VPN applications.
Beyond data theft, Stealka can hijack accounts, steal cryptocurrency directly, and install crypto miners on infected devices. Kaspersky advises users to protect themselves by using reliable antivirus software, avoiding pirated software and unofficial game mods, and refraining from storing sensitive information in browsers.
