{"id":55058,"date":"2025-12-18T08:34:48","date_gmt":"2025-12-18T13:34:48","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55058"},"modified":"2025-12-18T08:34:48","modified_gmt":"2025-12-18T13:34:48","slug":"windows-stealer-stealka","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/windows-stealer-stealka\/55058\/","title":{"rendered":"Stealka stealer: the new face of game cheats, mods, and cracks"},"content":{"rendered":"

In November 2025, Kaspersky experts uncovered a new stealer named Stealka, which targets Windows users\u2019 data. Attackers are using Stealka to hijack accounts, steal cryptocurrency, and install a crypto miner on their victims\u2019 devices. Most frequently, this infostealer disguises itself as game cracks, cheats and mods.<\/p>\n

Here\u2019s how the attackers are spreading the stealer, and how you can protect yourself.<\/p>\n

How Stealka spreads<\/h2>\n

A stealer is a type of malware that collects confidential information stored on the victim\u2019s device and sends it to the attackers\u2019 server. Stealka is primarily distributed via popular platforms like GitHub, SourceForge, Softpedia, sites.google.com, and others, disguised as cracks for popular software, or cheats and mods for games. For the malware to be activated, the user must run the file manually.<\/p>\n

Here\u2019s an example: a malicious Roblox mod published on SourceForge.<\/p>\n

\"Attackers<\/a>

Attackers exploited SourceForge, a legitimate website, to upload a mod containing Stealka<\/p><\/div>\n

And here\u2019s one on GitHub posing as a crack for Microsoft Visio.<\/p>\n

\"A<\/a>

A pirated version of Microsoft Visio containing the stealer, hosted on GitHub<\/p><\/div>\n

Sometimes, however, attackers go a step further (and possibly use AI tools) to create entire fake websites that look quite professional. Without the help of a robust antivirus<\/a>, the average user is unlikely to realize anything is amiss.<\/p>\n

\"A<\/a>

A fake website pretending to offer Roblox scripts<\/p><\/div>\n

Admittedly, the cracks and software advertised on these fake sites can sometimes look a bit\u00a0off. For example, here the attackers are offering a download for Half-Life 3, while at the same time claiming it\u2019s not actually a game but some kind of \u201cprofessional software solution designed for Windows\u201d.<\/p>\n

\"Malware<\/a>

Malware disguised as Half-Life 3, which is also somehow \u201ca professional software solution designed for Windows\u201d. A lot of professionals clearly spent their best years on this software\u2026<\/p><\/div>\n

The truth is that both the page title and the filename are just bait. The attackers simply use popular search terms to lure users into downloading the malware. The actual file content has nothing to do with what\u2019s advertised \u2014 inside, it\u2019s always the same infostealer.<\/p>\n

The site also claimed that all hosted files were scanned for viruses. When the user decides to download, say, a pirated game, the site displays a banner saying the file is being scanned by various antivirus engines. Of course, no such scanning actually takes place; the attackers are merely trying to create an illusion of trustworthiness.<\/p>\n

\"The<\/a>

The pirated file pretends to be scanned by a dozen antivirus tools<\/p><\/div>\n

What makes Stealka dangerous<\/h2>\n

Stealka has a fairly extensive arsenal of capabilities, but its prime target is data from browsers built on the Chromium and Gecko engines<\/strong>. This puts over a hundred<\/strong> different browsers at risk, including popular ones like Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, as well as many, many others.<\/p>\n

Browsers store a huge amount of sensitive information, which attackers use to hijack accounts and continue their attacks. The main targets are autofill data, such as sign-in credentials, addresses, and payment card details. We\u2019ve warned repeatedly that saving passwords in your browser is risky \u2014 attackers can extract them in seconds<\/a>. Cookies and session tokens<\/a> are perhaps even more valuable to hackers, as they can allow criminals to bypass two-factor authentication and hijack accounts without entering the password<\/a>.<\/p>\n

The story doesn\u2019t end with the account hack. Attackers use these compromised accounts to spread the malware further. For example, we discovered the stealer in a GTAV mod posted on a dedicated site by an account that had previously been compromised.<\/p>\n

Beyond stealing browser data, Stealka also targets the settings and databases of 115<\/strong> browser extensions<\/strong> for crypto wallets, password managers, and 2FA services. Here are some of the most popular extensions now at risk:<\/p>\n