In November 2025, Kaspersky experts uncovered a new stealer named Stealka, which targets Windows usersβ data. Attackers are using Stealka to hijack accounts, steal cryptocurrency, and install a crypto miner on their victimsβ devices. Most frequently, this infostealer disguises itself as game cracks, cheats and mods.
Hereβs how the attackers are spreading the stealer, and how you can protect yourself.
A stealer is a type of malware that collects confidential information stored on the victimβs device and sends it to the attackersβ server. Stealka is primarily distributed via popular platforms like GitHub, SourceForge, Softpedia, sites.google.com, and others, disguised as cracks for popular software, or cheats and mods for games. For the malware to be activated, the user must run the file manually.
Hereβs an example: a malicious Roblox mod published on SourceForge.
Attackers exploited SourceForge, a legitimate website, to upload a mod containing Stealka
And hereβs one on GitHub posing as a crack for Microsoft Visio.
A pirated version of Microsoft Visio containing the stealer, hosted on GitHub
Sometimes, however, attackers go a step further (and possibly use AI tools) to create entire fake websites that look quite professional. Without the help of a robust antivirus, the average user is unlikely to realize anything is amiss.
A fake website pretending to offer Roblox scripts
Admittedly, the cracks and software advertised on these fake sites can sometimes look a bitΒ off. For example, here the attackers are offering a download for Half-Life 3, while at the same time claiming itβs not actually a game but some kind of βprofessional software solution designed for Windowsβ.
Malware disguised as Half-Life 3, which is also somehow βa professional software solution designed for Windowsβ. A lot of professionals clearly spent their best years on this softwareβ¦
The truth is that both the page title and the filename are just bait. The attackers simply use popular search terms to lure users into downloading the malware. The actual file content has nothing to do with whatβs advertised β inside, itβs always the same infostealer.
The site also claimed that all hosted files were scanned for viruses. When the user decides to download, say, a pirated game, the site displays a banner saying the file is being scanned by various antivirus engines. Of course, no such scanning actually takes place; the attackers are merely trying to create an illusion of trustworthiness.
The pirated file pretends to be scanned by a dozen antivirus tools
Stealka has a fairly extensive arsenal of capabilities, but its prime target is data from browsers built on the Chromium and Gecko engines. This puts over a hundred different browsers at risk, including popular ones like Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, as well as many, many others.
Browsers store a huge amount of sensitive information, which attackers use to hijack accounts and continue their attacks. The main targets are autofill data, such as sign-in credentials, addresses, and payment card details. Weβve warned repeatedly that saving passwords in your browser is risky β attackers can extract them in seconds. Cookies and session tokens are perhaps even more valuable to hackers, as they can allow criminals to bypass two-factor authentication and hijack accounts without entering the password.
The story doesnβt end with the account hack. Attackers use these compromised accounts to spread the malware further. For example, we discovered the stealer in a GTAV mod posted on a dedicated site by an account that had previously been compromised.
Beyond stealing browser data, Stealka also targets the settings and databases of 115 browser extensions for crypto wallets, password managers, and 2FA services. Here are some of the most popular extensions now at risk:
Finally, the stealer also downloads local settings, account data, and service files from a wide variety of applications:
Thatβs an extensive list β and we havenβt even named all of them! In addition to local files, this infostealer also harvests general system data: a list of installed programs, the OS version and language, username, computer hardware information, and miscellaneous settings. And as if that werenβt enough, the malware also takes screenshots.
Curious what other stealers are out there, and what theyβre capable of? Read more in our other posts:
Login