Cybersecurity researchers have identified a new information-stealing malware campaign targeting video gamers and cryptocurrency users.

The malware, known as Stealka, is being distributed through fake game cracks, cheats, and mods. Once executed, it is capable of stealing cryptocurrency wallet data, hijacking online accounts, harvesting browser-stored credentials, and deploying a crypto miner on infected systems.

Researchers warn that the campaign blends social engineering with legitimate-looking distribution platforms, making it particularly effective against users searching for unofficial gaming tools.

Malware targeting gamers is not new, but financially motivated campaigns have increasingly shifted toward cryptocurrency theft.

Gaming communities are frequently targeted due to their high software download volume, reliance on third-party tools, and overlap with crypto-savvy users. Attackers exploit this behavior by disguising malware as performance enhancements, mods, or early access tools, relying on users to manually execute the payload.

This campaign reflects a broader trend: infostealers evolving beyond simple credential theft to include wallet harvesting, session hijacking, and persistent monetization through crypto mining.

Researchers at Kaspersky discovered Stealka while investigating malware distributed through gaming-related downloads.

The malware is disguised as cracks, cheats, or mods and is hosted across multiple platforms, including GitHub, SourceForge, Softpedia, and Google Sites.

In some cases, attackers create professional-looking fake websites. In others, poorly designed pages are used, often relying on search engine traffic and popular keywords to attract victims. Execution is user-initiated, meaning the malware activates only after the downloaded file is manually run.

Stealka functions as a multi-purpose infostealer with several data-harvesting capabilities.

It targets browser extensions associated with cryptocurrency wallets, including MetaMask, Trust Wallet, Exodus, and others. Wallet configuration files may contain encrypted private keys, seed phrase data, file paths, and encryption parameters.

The malware also extracts credentials from password managers, two-factor authentication tools, autofill databases, cookies, and active session tokens. In addition, Stealka can deploy a crypto miner, allowing attackers to generate ongoing revenue from infected devices.

Access to session tokens enables account takeover without requiring passwords, effectively bypassing 2FA protections.

The impact of Stealka extends beyond cryptocurrency theft.

Compromised credentials and session tokens can lead to full account hijacking across email, gaming, financial, and cloud services. For gamers, this may include loss of in-game assets or platform access. For crypto users, wallet compromise can result in irreversible financial loss.

The malware’s ability to affect over a hundred browsers significantly increases the potential attack surface, especially for users who rely heavily on stored autofill data.

This campaign highlights the risks of combining unofficial software downloads with sensitive digital assets.

As cryptocurrency adoption grows, malware authors are increasingly targeting wallet infrastructure rather than traditional banking credentials. The use of trusted platforms and search-engine manipulation further erodes the effectiveness of basic user trust signals.

For individuals, this reinforces the importance of software hygiene. For defenders, it underscores the need for better visibility into user-initiated execution risks.

Kaspersky researchers emphasized that wallet configuration data alone can be sufficient to attempt cryptocurrency theft, even if private keys are encrypted.

They also noted that access to cookies and session tokens allows attackers to bypass authentication safeguards entirely, making traditional password security insufficient once a system is compromised.