New Infostealer 'Stealka' Disguised as Roblox Mods Steals Crypto Credentials
Stealka is a new infostealer malware identified by Kaspersky that is distributed via pirated mods for Roblox and other games on platforms such as GitHub, SourceForge, Softpedia, and sites.google.com. The malware disguises itself as unofficial game mods, cheats, and cracks to exfiltrate login credentials and data from browsers and applications.
It targets data in major browsers including Chrome, Firefox, Opera, Yandex Browser, Edge, and Brave, as well as more than 100 browser extensions including cryptocurrency wallets, password managers, and two-factor authentication (2FA) apps. Stealka can also extract encrypted private keys, seed phrases, and wallet file paths from standalone cryptocurrency wallet applications such as Binance, Exodus, MyCrypto, MyMonero, and wallet apps for Bitcoin, BitcoinABC, Dogecoin, Ethereum, Monero, Novacoin, and Solar.
Additional targets of Stealka include messaging apps like Discord and Telegram, password managers such as 1Password, Bitwarden, and LastPass, email clients including Gmail Notifier Pro, Mailbird, and Outlook, note-taking apps like NoteFly, Notezilla, and Microsoft StickyNotes, as well as VPN clients such as OpenVPN, ProtonVPN, and WindscribeVPN.
Most victims detected are based in Russia, with attacks also observed in Türkiye, Brazil, Germany, and India. Kaspersky detected Stealka on Windows machines in November 2025 and reported that all detected instances were blocked by their solutions. There is no available data on the amounts of cryptocurrency stolen.
Kaspersky’s safety guidance recommends using reputable antivirus software, avoiding unofficial pirated mods, refraining from storing important data in browsers, and enabling two-factor authentication with backup codes stored securely away from browsers or text documents.
