Stealka
Stealka is an infostealer discovered by Kaspersky in November 2025 that targets Windows users. It is commonly disguised as pirated software, game cracks, cheats, and mods, and is distributed through fake websites as well as legitimate platforms such as GitHub, SourceForge, and Softpedia, relying on victims to manually execute the malicious file. The malware is used to hijack accounts, steal cryptocurrency, and can additionally install a crypto miner on infected devices.
Stealka steals data from Chromium- and Gecko-based browsers, including credentials, autofill data, cookies, and session tokens, enabling account takeover and bypass of two-factor authentication through session theft. It also targets 115 browser extensions associated with cryptocurrency wallets, password managers, and 2FA services. Reported wallet targets include Binance, Coinbase, Crypto.com, SafePal, Trust Wallet, MetaMask, Ton, Phantom, and Exodus. Reported password manager and 2FA targets include 1Password, Bitwarden, LastPass, KeePassXC, NordPass, Authy, and Google Authenticator.
Beyond browsers, Stealka targets 80 cryptocurrency wallet applications and a broad set of desktop applications, including messengers such as Discord and Telegram; password managers such as KeePass and LastPass; email clients such as Outlook and Thunderbird; note-taking apps such as Microsoft Sticky Notes; gaming services and launchers such as Steam, Roblox, TLauncher, Lunar Client, Feather Client, Meteor Client, Impact Client, Badlion Client, and WinAuth for battle.net; and VPN clients including OpenVPN, ProtonVPN, Surfshark, WindscribeVPN, and AzireVPN.
The malware also collects host information including installed programs, OS version, language, username, and hardware details, and takes screenshots of infected systems. Attackers have reportedly used compromised accounts to further propagate Stealka, including via mods posted on gaming-related sites. The campaign context indicates a focus on gamers and cryptocurrency users.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Инфостилер, упомянутый в связанном материале как распространяемый под видом читов, модов и кряков.
Information stealer malware, details on specific capabilities not provided in the content.
Infostealer malware targeting a wide range of applications to steal credentials, crypto-wallets, and sensitive data.
Stealka is a newly discovered infostealer malware that targets Windows users by masquerading as pirated software, game mods, and cheats. It is designed to steal sensitive data from browsers, browser extensions (including crypto wallets, password managers, and 2FA services), locally installed applications (such as messaging apps, email clients, note-taking apps, gaming clients, and VPN clients), and general system information. It can also hijack accounts, steal cryptocurrency, and install crypto miners on infected devices.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.