Cybersecurity company Kaspersky has warned about a new information-stealing program called Stealka, that is spreading through pirated Windows software and game modifications, and is used to drain crypto wallets, hijack online accounts, and install a crypto-miner on victim machines.
Fake Mods and Cracks Used as Bait
Kaspersky researchers identified Stealka back in November, after seeing it bundled with what claimed to be game cheats, cracked software, and unofficial mods. The malware is distributed through well-known download platforms, and through convincing fake websites that imitate legitimate software portals.
These malicious sites often display a message that claims every file has been scanned by many antivirus tools. According to Kaspersky, that scan is fake, and is intended to reassure the user before they start the download.
According to Kaspersky, victims have to launch the download themselves, and once the file is running, the promised cheat or crack never appears, and Stealka begins to work in the background.
Browsers and Cookies in Focus
Stealka is described as a multifunction information stealer, with its main interest lying in data stored in browsers based on the Chromium and Gecko engines, a group that covers more than one hundred browsers, including Chrome, Firefox, Opera, Yandex Browser, Edge, and Brave.
The malware targets autofill data, such as saved logins, addresses, and payment card details, meaning that storing passwords in the browser leaves users at risk, according to Kaspersky.
Stealka also harvests cookies and session tokens. Criminals value these, because they can sometimes log in to accounts using tokens alone, and may even bypass two-factor checks without knowing the victim password.
Extensions and Crypto Wallets
The malware does not stop at the main browser store of data. It also tries to read configuration files and databases from 115 browser extensions used for cryptocurrency wallets, password managers, and two-factor authentication services.
Among the wallet extensions listed by Kaspersky are products linked to Binance, Coinbase, Crypto dot com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, and Exodus. Extensions for services such as Authy, Google Authenticator, and Bitwarden are also in scope, along with password managers including 1Password, Bitwarden, LastPass, KeePassXC, and NordPass.
In addition to web-based applications, Stealka turns to desktop cryptocurrency wallets, collecting settings and files from around 80 programs. These can contain encrypted private keys, seed-phrase fragments, file paths, and encryption parameters, giving attackers a chance to go after digital funds.
Messaging, Email, Notes & Games Are Also Affected
According to Kaspersky, Stealka also goes after data from messaging tools, stealing files from apps such as Discord, Telegram, Unigram, Pidgin, and other apps that can contain account details, device identifiers, authentication tokens, and encryption parameters, potentially allowing attackers to take over accounts and read past conversations.
Email clients are also at risk, with programs storing account credentials, server settings, tokens, and local copies of messages, such as Gmail Notifier Pro, Claws, Mailbird, and Outlook, on Stealka’s radar.
Additionally, simple note-taking tools such as NoteFly, Notezilla, SimpleStickyNotes, and Microsoft StickyNotes are also a weak point when users store seed phrases or passwords in plain text, giving the malware a direct path to highly sensitive information.
Gaming platforms and launchers are also targeted by Stealka, specifically targeting files from major services, such as Steam, Roblox, and Battle.net, that contain account identifiers, linked accounts, and authentication tokens, which can be used to hijack gaming profiles, abuse connected services, and help spread the malware further.
On top of these functions, Stealka gathers general system information, such as the list of installed programs, the version and language of the operating system, the user name, and details of the hardware, and can capture screenshots from the infected device.
Stealka also looks for configuration files from virtual private network clients, including OpenVPN, ProtonVPN, Surfshark, and WindscribeVPN, so attackers can hide their activity behind a victim’s identity.
What Users Can Do To Protect Themselves from Stealka
Kaspersky urges users to protect their computers with reputable security software, and to remember that even files downloaded from familiar platforms are not automatically safe, as attackers are increasingly using trusted services to spread their malware.
The company also recommends enabling two-factor authentication wherever it is available, and using backup codes, which should be stored in a password manager instead of less secure options, such as plain-text files, browser forms, or simple notes.
It is also extremely important not to store passwords, bank card details, seed phrases, or other sensitive information in browsers, according to Kaspersky.
Read More: Crypto Thieves Have Stolen Over $3.4 Billion So Far in 2025, Chainalysis Says
