Hackers are inserting information-stealing malware into pirated mods for Roblox and other games, according to research from cybersecurity firm Kaspersky Lab.
Kaspersky’s blog post reveals that it has identified a new type of information theft program called Stealka. We have previously encountered this attack on distribution platforms such as GitHub, SourceForge, Softpedia, and sites.google.com.
Stealka disguises itself as unofficial mods, cheats, and cracks for Windows-based games and other apps to steal sensitive login and browser information that operators can use to steal cryptocurrencies.
Targeted cryptocurrency wallet
The malware primarily targets the data contained in browsers such as Chrome, Firefox, Opera, Yandex Browser, Edge, and Brave, as well as the settings and databases of over 100 browser extensions.
Such extensions include cryptocurrencies wallet From Binance, Coinbase, MetaMask, Crypto.com, Trust Wallet, as well as password managers (1Password, NordPass, LastPass) and 2FA apps (Google Authenticator, Authy, Bitwarden).
In fact, Stealka’s influence extends beyond browser extensions, as it can also break encryption. private keyseed phrase data and wallet file path from a standalone cryptocurrency wallet app.
This includes apps for Binance, Exodus, MyCrypto, and MyMonero, as well as wallet apps for Bitcoin, BitcoinABC, Dogecoin, Ethereum, Monero, Novacoin, and Solar.
Apart from cryptocurrencies, Stealka malware also targets messaging apps (e.g. Discord and Telegram), password manager apps (e.g. 1Password, Bitward, LastPass), email clients (e.g. Gmail Notifier Pro, Mailbird, Outlook), note-taking apps (NoteFly, Notezilla, Microsoft StickyNotes), and VPN clients (e.g. OpenVPN, ProtonVPN, WindscribeVPN) has the ability to steal data and authentication tokens.
talk to decryptionKaspersky cybersecurity expert Artem Ushkov said the new malware was “detected by Kaspersky endpoint protection solutions on Windows machines in November 2025.”
As with similar malware, most of Stealka’s targeted users are based in Russia, Ushkov reported.
“However, attacks with this malware have also been detected in other countries such as Turkiye, Brazil, Germany and India,” he added.
How to stay safe
In light of the Stealka threat, Kaspersky advises on its blog that in addition to using reputable antivirus software, you should avoid unofficial and pirated mods.
The blog also advises users not to store sensitive information in their browsers, employing two-factor authentication whenever available, and also utilizing backup codes (but not in browsers or text documents).
While the potential for Stealka to steal information and, by extension, cryptocurrencies seems scary, there is currently no indication that it has resulted in significant losses.
“We don’t know how much cryptocurrency was stolen using it,” Ushkov said. “Our solution protects against this threat. All detected Stealka malware was blocked by our solution.”
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
