The trap of free games: this new malware empties your crypto wallet in seconds

Kaspersky warns about Stealka, malware hidden in game mods that steals digital wallet keys. Protect your assets and improve your crypto cybersecurity against this threat.

The search for shortcuts in video games or free access to paid software has become the perfect gateway for a new financial threat. 

Users who frequent code repositories and download sites have begun reporting anomalous behavior on their computers after installing modifications for popular games. The security firm Kaspersky has identified the culprit as... Stealka, a malicious software meticulously designed to sweep up credentials and digital assets within moments of execution.

This new malware represents an evolution in the strategy of cybercriminals, as they no longer hide only in dark corners of the deep web. 

The attackers have managed to infiltrate legitimate and highly trusted platforms such as GitHub, Google Sites o SourceForge to distribute its code. By disguising the infected file as an upgrade for games like Roblox o Grand Theft Auto Vor even as a free license for Microsoft VisioThey manage to get the victim to open the doors of their own security system.

The art of deception on trusted platforms

Stealka's effectiveness lies in its ability to blend into the user's everyday digital environment. Researchers have detected that criminals create landing pages with a professional visual appearance that They perfectly mimic legitimate download sites. 

In some cases, criminals use irresistible bait for the gaming community, such as supposed leaks of highly anticipated games or Windows optimization tools that promise to improve computer performance. The trap includes fake security indicators where the website claims the file has been scanned by multiple antivirus programs and is clean, lowering the downloader's guard.

Once the user manually runs the file, believing they are installing a mod or crack, the malware activates in the background without showing any obvious signs of infection. There are no pop-ups or immediate slowdowns to alert the victim.

The strategy for spreading this malware relies on exploiting the trust users place in collaborative platforms where, historically, developer communities have securely shared resources. However, digital forensics reveals that these distributing accounts are often profiles stolen from legitimate users, creating a self-perpetuating infection chain.

Stealka: A predator of credentials and financial assets

The main objective of this malicious development is the removal of direct economic value and identity dataStealka has been programmed to attack the infrastructure used by millions of people daily. Its code targets over one hundred types of browsers based on the Chromium and Gecko engines, including the most popular ones on the market such as Chrome, Edge, Firefox, and Brave. 

Furthermore, malware does not discriminate and sweeps away everything in its pathfrom browsing history to session cookies that allow accounts to remain open without needing to re-enter the password.

The risk increases exponentially for digital asset investors, as Stealka has the specific ability to track and extract information from over eighty types of digital wallets. For example, popular browser extensions such as Dappradar, Phantom, BinanceWallet o Trust wallet are priority objectives. 

This malicious software actively searches for seed phrases, private keys encrypted and configuration files that grant full access to the user's crypto funds. 

But, in addition to browser extensions, the malware scans the hard drive for cryptocurrency desktop applications and password managers, attempting to breach the security of digital vaults that the user considered impenetrable.

According to the firm's researchers, the sophistication of the attack allows criminals to bypass basic security measures. By stealing active session cookies along with credentials, attackers can, in certain scenarios, access victims' accounts by impersonating the original user and skipping conventional authentication steps. This jeopardizes not only financial assets but also the entire digital identity of the affected individual.

The hijacking of digital identity

Stealka's reach extends beyond the immediate theft of money. research It details that the malware also It collects information from messaging and communication applications. , the Discord, Telegram and email clients. The purpose of this data collection is twofold. On the one hand, it seeks sensitive information that can be monetized or used for extortion, and on the other, it seeks to hijack accounts to use them as new attack vectors. An infected user unknowingly becomes a malware distributor by sharing malicious links with their contacts from an account that their friends consider secure.

The technical data provided by experts indicates that the malware also has the ability to take screenshots and gather detailed information about the operating system and hardwareThis digital fingerprint allows attackers to classify their victims and decide which ones are high-value targets for more targeted attacks later. 

Although the highest concentration of infections has been detected in Russia, the global nature of game and software downloads has brought the threat to countries such as Brazil, Germany, Turkey, and India, demonstrating that geographical borders are irrelevant for this type of distribution.

Active defense against the invisible threat

Protecting against crypto cybersecurity tools and data theft like Stealka requires a change in browsing habits and information management. 

Kaspersky experts, including the researcher Artem UshkovThey emphasize that relying solely on common sense is no longer enough when fake websites are almost identical to real ones. The fundamental recommendation is to avoid downloading pirated software or game modifications that don't come from official developers, as these files are the preferred transport vehicle for malicious code.

Experts also stress the importance of ceasing to use your browser as a vault. They warn that saving passwords and credit card information directly in Chrome or Firefox greatly facilitates the work of criminals once they manage to infect your computer. They recommend using independent password managers and... Activating two-factor authentication (2FA) on all sensitive accounts, as this adds layers of friction that can thwart the attack or minimize the damage in case of infection. 

Finally, they point out that maintaining up-to-date antivirus software with real-time scanning capabilities remains the most effective barrier to detecting and blocking the execution of these types of threats before they manage to communicate with the attackers' servers.