A newly identified malware strain known as Stealka is stealing cryptocurrency by posing as game cheats, software cracks and popular mods, using trusted download platforms and fake websites to trick users into infecting their own devices.
Cybersecurity researchers at Kaspersky say the Windows-based infostealer has been actively circulating since at least November, targeting browser data, locally installed applications and both browser-based and desktop crypto wallets.
Once executed, Stealka is capable of hijacking online accounts, draining cryptocurrency holdings and, in some cases, installing a crypto miner to further monetize infected systems.
Spreads Through Game Cheats And Pirated Software
According to Kaspersky’s analysis, Stealka spreads primarily through files that users voluntarily download and run.
The malware is commonly disguised as cracked versions of commercial software or as cheats and mods for popular games, distributed through widely used platforms such as GitHub, SourceForge, Softpedia and Google Sites.
In several cases, attackers uploaded malicious files to legitimate repositories, relying on the platforms’ credibility to lower suspicion.
In parallel, researchers observed professionally designed fake websites offering pirated software or game scripts.
These sites often display false antivirus scan results to create the impression that downloads are safe.
In reality, the file names and page descriptions serve only as bait; the downloaded content consistently contains the same infostealer payload.
Malware Targets Browsers, Wallets And Local Applications
Once installed, Stealka focuses heavily on web browsers built on Chromium and Gecko, exposing users of more than a hundred browsers to data theft.
The malware extracts saved login credentials, autofill data, cookies and session tokens, allowing attackers to bypass two-factor authentication and take over accounts without passwords.
Compromised accounts are then used to distribute the malware further, including through gaming communities.
Stealka also targets browser extensions tied to cryptocurrency wallets, password managers and authentication tools. Researchers identified attempts to harvest data from extensions linked to major crypto wallets such as MetaMask, Trust Wallet and Phantom, as well as password and authentication services including Bitwarden, Authy and Google Authenticator.
Beyond browsers, the malware collects configuration files and local data from dozens of desktop applications.
These include standalone crypto wallets that may store encrypted private keys and wallet metadata, messaging apps, email clients, VPN software, note-taking tools and gaming launchers.
Why It Matters
Access to this information enables attackers to steal funds, reset account credentials and conceal further malicious activity.
The malware additionally gathers system information and captures screenshots of infected devices.
Kaspersky warned that the Stealka campaign highlights the growing overlap between piracy, gaming-related downloads and financial cybercrime, urging users to avoid untrusted software sources and to treat cheats, mods and cracks as high-risk files.