Cybercriminals are increasingly hiding stealka malware inside game mods and pirated tools, turning trusted download platforms into traps for cryptocurrency users.
Stealka infostealer hidden in game mods and pirated software
Cybersecurity company Kaspersky has identified a sophisticated new infostealer named Stealka, described as a major risk for cryptocurrency holders. First detected in November 2025, the malware spreads through fake game modifications and pirated software shared on platforms such as GitHub, SourceForge, and Google Sites.
The attackers package Stealka as cheats and mods for hit games like Roblox and Grand Theft Auto V, as well as cracked versions of legitimate tools including Microsoft Visio. Moreover, they build professional-looking fake websites to host downloads, which makes distinguishing these malicious files from genuine content difficult without strong security solutions.
However, the campaign is not limited to shady sites. Kaspersky reports that cybercriminals also leverage compromised accounts on legitimate gaming mod portals to distribute infected archives, so even regular users of well-known communities may unknowingly download the malware.
How Stealka operates across browsers and extensions
Stealka focuses on browsers based on the Chromium and Gecko engines, placing more than 100 different browsers at risk. This includes widely used applications such as Chrome, Firefox, Opera, Edge, Brave, and Yandex Browser. The infostealer extracts autofill data like login credentials, addresses, and payment card details. According to Kaspersky, its behavior closely resembles the ModStealer malware identified in September.
The stealka malware then dives deeper into browser settings and local databases for installed extensions. It systematically probes extensions linked to crypto wallets, password managers, and two-factor authentication services, turning ordinary browsing sessions into a high-value target for financially motivated attackers.
Among the 80 cryptocurrency wallets on Stealka’s radar are major brands such as Binance, Coinbase, MetaMask, Crypto.com, SafePal, Trust Wallet, Phantom, Ton, Nexus, and Exodus. Moreover, the malware does not stop at browser extensions and can also scan for standalone wallet applications installed on the system.
Targeting private keys, seed phrases and wallet files
Once active, Stealka searches for particularly sensitive data, including encrypted private keys, seed phrase fragments, wallet file paths, and associated encryption parameters. This information can potentially enable attackers to reconstruct access to digital assets and drain cryptocurrency accounts without direct interaction from victims.
In addition, the malware examines configuration files of desktop wallet applications. These files may hold crucial security information, such as references to encryption schemes or storage locations for key material. That said, successful exploitation still requires the attackers to correctly parse and use the stolen data, which adds a technical barrier but does not eliminate the threat.
Beyond crypto wallets: broader account compromise
Stealka’s functionality extends well beyond crypto-related targets. The infostealer can compromise messaging apps such as Discord and Telegram, email clients, gaming platforms, password management tools, and VPN services. As a result, cybercriminals can hijack multiple accounts and gather intelligence for future intrusions or social engineering campaigns.
Kaspersky researcher Artem Ushkov reports that most confirmed victims are located in Russia. However, detections have also been recorded in Turkey, Brazil, Germany, and India, showing that the infection chain is already spreading globally.
Attackers frequently rely on previously stolen credentials to fuel new waves of compromise. For example, they may take over accounts on trusted game mod sites, upload new malicious archives, and thus turn a normal mod distribution into a stealthy game mod malware vector that further amplifies their reach.
Financial risk and current impact
The potential financial damage from Stealka is substantial, given its ability to exfiltrate wallet data and payment information. However, Kaspersky states that all known infection attempts observed by its systems have been blocked by its security products, with no confirmed large-scale cryptocurrency theft directly attributed to this campaign so far.
That said, the lack of public evidence does not mean the threat is negligible. Undetected infections may still exist on systems without adequate protection, especially where users download cracked tools or suspicious mods from unofficial sources.
Protection strategies for crypto users and gamers
To mitigate risk, Kaspersky urges users to avoid pirated software malware sources and unverified game cheats. Downloading mods, cracked software, and tools from random forums or file-sharing platforms remains one of the main infection vectors for Stealka and similar families.
Moreover, deploying reputable antivirus solutions with real-time scanning is essential. Security suites capable of detecting infostealers can block malicious executables before they access browser databases or wallet folders, significantly limiting the window of exposure for sensitive data.
Users should also reconsider how they store personal information in browsers. Kaspersky recommends minimizing the storage of passwords and payment card details in autofill. Instead, individuals should rely on dedicated password management applications, which generally provide stronger protections against a broad password manager compromise.
Hardening authentication and browser hygiene
Enabling strong multi-step protection on all important services is another key defense layer. Stealka’s operators specifically aim to bypass simple login flows, so adding two factor authentication and keeping recovery codes in secure offline locations can drastically reduce successful account takeovers.
Furthermore, users should treat install prompts for new browser add-ons with skepticism. Reviewing permissions and limiting installations to official extension stores help reduce the risk of a browser extension hijack. Kaspersky also stresses the importance of downloading software only from verified vendor websites or well-known platforms with active security controls.
In summary, Stealka illustrates how github malware distribution tactics, fake mod sites, and cracked tools intersect to endanger both gamers and crypto investors. By combining cautious download habits, robust security software, and stricter handling of sensitive data, users can significantly lower their exposure to this evolving infostealer threat.
Source: https://en.cryptonomist.ch/2025/12/22/stealka-malware-game-mods/