Kaspersky researchers have uncovered Stealka, a complicated infostealer masquerading as recreation mods and pirated software program that targets crypto wallets and browser credentials throughout over 115 extensions.
The malware spreads by way of trusted platforms, together with GitHub, SourceForge, and Softpedia, the place attackers create professional-looking pretend web sites and repositories to distribute the menace below the guise of in style recreation cheats for titles like Roblox and GTA V.
The invention marks the most recent escalation in a broader sample of gaming-focused malware campaigns, as cybercriminals more and more exploit the belief players place in modding communities.
Attackers leverage in style search phrases and authentic-looking obtain pages to lure victims, with some websites falsely claiming that virus scans are performed earlier than downloads, although no such verification happens.
The malicious recordsdata seem intentionally misleading; one pretend web site marketed Half-Life 3 whereas describing it as “skilled software program answer designed for Home windows,” utilizing in style gaming titles merely as bait to maximise search engine visibility.
In depth Arsenal Targets Crypto Wallets
In accordance with the safety agency, Stealka’s capabilities prolong far past fundamental credential theft, focusing on knowledge from browsers constructed on Chromium and Gecko engines, placing over 100 purposes, together with Chrome, Firefox, Opera, and Edge, at speedy threat.
The malware extracts autofill knowledge, session tokens, and cookies that permit attackers to bypass two-factor authentication and hijack accounts with out passwords, whereas concurrently focusing on 115 browser extensions for crypto wallets, password managers, and authentication providers.
Excessive-value targets embrace crypto wallets similar to Binance, Coinbase, MetaMask, Belief Pockets, and Phantom, in addition to password managers similar to 1Password, Bitwarden, LastPass, and NordPass.
The stealer downloads native configurations from 80 pockets purposes, encompassing Bitcoin, Ethereum, Exodus, Monero, and Dogecoin, that will comprise encrypted personal keys and seed phrase knowledge adequate to compromise holdings.
Past crypto property, Stealka infiltrates messaging apps like Discord and Telegram, electronic mail purchasers together with Outlook and Thunderbird, gaming platforms similar to Steam and Roblox launchers, VPN purchasers like ProtonVPN and Surfshark, and note-taking apps the place customers typically improperly retailer delicate data.
The malware moreover harvests system knowledge, put in program lists, {hardware} specs, and captures screenshots to maximise intelligence gathering.
Attackers have used compromised accounts to unfold the malware additional, with Kaspersky discovering the stealer in a GTA V mod posted by a beforehand hijacked account on a devoted modding web site.
Trade Faces Mounting Safety Disaster
The Stealka marketing campaign emerges amid catastrophic industry-wide safety failures, as crypto platforms have misplaced $9.1 billion in 2025 alone, which is 10% of the $90 billion stolen over the previous 15 years.
In November, losses exceeded $276 million, pushing the annual complete previous historic data.
“Crypto is going through a safety reckoning,” mentioned Mitchell Amador, CEO of Immunefi, a crowdsourced safety platform defending $180 billion in property.
“Most hacks this yr haven’t occurred resulting from poor audits—they’ve occurred after launch, throughout protocol upgrades, or by way of integration vulnerabilities.“
Amador emphasised that 99% of Web3 tasks function with out fundamental firewalls whereas fewer than 10% deploy trendy AI safety instruments, calling the sector’s method “willful negligence.“
The human component has change into the first assault floor, with menace actors shifting from code vulnerabilities to operational safety breaches as sensible contracts change into tougher to use.
“The menace panorama is shifting from on-chain code vulnerabilities to operational safety and treasury-level assaults,” Amador defined. “As code hardens, attackers goal the human component.”
North Korea's Well-known Chollima hides malware in sensible contracts by way of EtherHiding, posing as job recruiters after stealing $1.3B in 2024 and $2.2B in H1 2025.#NorthKorea #Blockchainhttps://t.co/8W6Pfj41u8
— Cryptonews.com (@cryptonews) October 17, 2025
Kaspersky’s broader analysis reveals a sustained malware ecosystem, having beforehand documented the GitVenom marketing campaign involving a whole lot of faux GitHub repositories, SparkKitty cell malware that infiltrated Apple’s App Retailer and Google Play to steal seed phrase screenshots by way of OCR, and ClipBanker trojans hidden in pretend Microsoft Workplace downloads.
North Korean menace teams have additionally escalated ways by weaponizing blockchain know-how itself, embedding malware payloads in sensible contracts on the BNB Sensible Chain and Ethereum, making a decentralized command-and-control infrastructure that regulation enforcement can’t shut down.
For now, Kaspersky recommends customers to do the next:
- Deploy dependable antivirus software program.
- Keep away from storing delicate credentials in browsers.
- Train excessive warning with recreation cheats and pirated software program.
- Allow two-factor authentication with backup codes saved in encrypted password managers moderately than textual content recordsdata.
- Chorus from downloading software program from untrusted sources regardless of the comfort they could provide.
The publish Avid gamers at Danger as Pretend Roblox Mods Unfold Crypto-Stealing Malware appeared first on Cryptonews.