Understanding the Stealka Crypto Infostealer

Unveiled by Kaspersky, the Stealka crypto infostealer is a sophisticated piece of malware that specifically targets Microsoft Windows users. Disguised as game cheats and mods, this malware has been silently hijacking accounts, stealing cryptocurrencies, and installing crypto miners on unsuspecting users’ computers since its discovery in November.

The malware’s distribution channels include legitimate platforms like GitHub, SourceForge, and Google Sites. It’s often cloaked as mods for popular games such as Roblox, or software cracks for applications like Microsoft Visio. Kaspersky researcher Artem Ushkov highlighted the use of artificial intelligence in creating deceptive websites that appear professional, further aiding in the spread of this malware.

Targeted Data and Potential Risks

The Stealka crypto infostealer is armed with an extensive arsenal of capabilities, making it a formidable threat. Its prime targets include data from browsers built on the Chromium and Gecko engines, putting over 100 browsers, including Chrome, Firefox, and Edge, at risk.

The malware focuses on extracting autofill data such as sign-in credentials, addresses, and payment card details. It also compromises the settings and databases of 115 browser extensions related to crypto wallets, password managers, and two-factor authentication services. Among the 80 crypto wallets at risk are popular options like Binance, Coinbase, and MetaMask.

Moreover, messaging apps like Discord and Telegram, email clients, password managers, and even VPN applications are vulnerable to this malware.

Protecting Yourself from Stealka

To safeguard against the Stealka crypto infostealer, Kaspersky advises using reliable antivirus software and password managers, rather than storing passwords within browsers. Users should avoid pirated software and unofficial game mods, which are common carriers of this malware.

Cloudflare has reported alarming statistics, with over 5% of emails globally containing malicious content. A significant portion includes phishing links, and many HTML attachments are deemed malicious. These figures underscore the importance of vigilance in digital interactions.

In conclusion, the Stealka crypto infostealer represents a growing threat in the digital landscape, particularly for crypto enthusiasts. Staying informed and adopting robust security practices are essential steps in countering such cyber threats.

The post Stealka Crypto Infostealer: 5 Shocking Insights into Video Game Mods appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

The malicious extensions, once installed, are programmed to steal user wallet credentials. “We have connected over 40 different extensions to this active and live campaign,” Koi Security stated.

The campaign, which has been running since at least April, uploaded the most recent extensions last week. These fraudulent extensions allegedly extract wallet credentials directly from the targeted sites and upload them to a remote server under the attacker’s control.

The report also highlighted how the campaign uses ratings, reviews, branding, and functionality to win user trust by posing as genuine and thus boost installation rates. Some applications even boasted hundreds of fake five-star reviews.

The deceptive extensions used the same names and logos as the real services they were mimicking. In several cases, the threat actors cloned the official extensions’ open-source code and integrated their malicious code. This deceptive strategy maintained the expected user experience while minimizing the chances of immediate detection.

While Koi Security stated that “attribution remains speculative,” they pointed to “multiple signals indicating a Russian-speaking threat actor.” These signals include Russian language comments in the code and metadata found in a PDF file sourced from a malware command-and-control server associated with the incident. “Although not definitive, these artifacts suggest that the campaign may be the work of a Russian-speaking threat actor group.”

To minimize risk, Koi Security advised users to only install browser extensions from verified publishers and to manage extensions as full software assets, using allowlists and monitoring for unexpected behavior or updates.

The post Malicious Cryptocurrency Wallet Clones Target Mozilla Firefox Users appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

Recent activities, however, indicate that the Trojan has extended its scope, striking victims in Poland, Spain, Argentina, Brazil, Indonesia, India, and the US, as per the latest data from ThreatFabric’s Mobile Threat Intelligence (MTI) team.

In Poland, the malware exploited Facebook Ads to circulate deceptive loyalty apps. Users who clicked on the advertisement were redirected to harmful websites that delivered a Crocodilus dropper, evading Android 13+ security measures. Facebook’s transparency data reveals that these ads reached thousands of users within one to two hours, primarily targeting those aged 35 and above.

Once installed, Crocodilus overlays fraudulent login screens over authentic banking and crypto apps. In Spain, it poses as a browser update, targeting nearly all major banks. Apart from its geographical expansion, Crocodilus has also acquired new skills. These include the ability to alter infected devices’ contact lists, enabling hackers to add phone numbers labeled as “Bank Support” for potential social engineering attacks.

Another significant enhancement is an automated seed phrase collector targeting cryptocurrency wallets. The Crocodilus malware is now capable of extracting seed phrases and private keys more accurately, providing attackers with pre-processed data for quick account takeovers.

The developers have also bolstered Crocodilus’ defenses with deeper obfuscation. The newest variant combines packed code, extra XOR encryption, and deliberately complex logic to thwart reverse engineering. MTI analysts have also noted smaller campaigns focusing on cryptocurrency mining apps and European digital banks as part of Crocodilus’ increasing interest in crypto.

Related to this, an April 22 report by crypto forensics and compliance firm AMLBot disclosed that crypto drainers, malware designed to pilfer cryptocurrency, are becoming more accessible as the ecosystem evolves towards a software-as-a-service business model.

The report revealed that malware spreaders can rent a drainer for as little as 100 to 300 USDt (USDT). On May 19, it was disclosed that Procolored, a Chinese printer manufacturer, had been distributing Bitcoin-stealing malware along with its official drivers, using USB drivers to distribute contaminated software and uploading the compromised software to cloud storage for global access.

The post Crocodilus Malware Expands Reach Globally, Targets Crypto and Banking Platforms appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

Jake Gallen, the CEO of Emblem Vault, a podcaster, and an NFT enthusiast, announced that he had fallen victim to a “comprehensive computer breach” which resulted in significant Bitcoin and Ether losses from various wallets. He stated, “Regrettably, this resulted in a loss of more than $100,000 in purchased digital assets.”

Gallen revealed that he had been cooperating with cybersecurity company, The Security Alliance (SEAL), to track down an ongoing scheme targeting cryptocurrency users, orchestrated by the threat actor “ELUSIVE COMET”. He attributed the scam to Zoom, which he claims facilitated the draining of his crypto wallet.

He stated, “We discovered a malware file that was installed on my computer during a Zoom call with a YouTube influencer with over 90k followers”, on April 14. The malevolent entity “uses advanced social engineering tactics to trick victims into installing malware, ultimately pilfering their crypto,” as reported by SEAL in late March.

After being contacted by “Tactical Investing”, a verified account which claimed to be the founder and CEO of Fraction Mining, Gallen set up an interview. During this meeting, Tactical Investing kept their screen off while Gallen’s was on, allowing the installation of malware named “GOOPDATE” that stole his credentials and accessed his crypto wallets.

Gallen has also noted that the attackers were able to infiltrate his Ledger wallet, despite him only having accessed it a few times over three years, and never having digitally written down the password. The hackers also compromised his account in a bid to attract more victims through private messages.

SEAL has reported that “ELUSIVE COMET” is linked to Aureon Capital, which posits itself as a legitimate venture capital firm. The malicious actor is accountable for “millions of dollars in stolen funds” and poses a significant threat to users due to their “carefully crafted backstory”, according to the firm. Users who have interacted with Aureon Capital are advised to contact SEAL’s emergency hotline on Telegram.

The post Crypto Chief Highlights ‘ELUSIVE COMET’ Dangers After Suffering 75% Asset Loss appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

These counterfeit Android devices are being sold at discounted rates, but they come preinfected with a variant of the notorious Triada Trojan. This malware infects every function of the phone, providing the hackers with virtually limitless control over the device, warned Kaspersky in their April 1 statement.

Dmitry Kalinin, a cybersecurity specialist at Kaspersky, explained that the Trojan allows the perpetrators to steal cryptocurrency by switching wallet addresses once access to the device is granted. “The creators of the new Triada variant are reaping significant financial benefits. Based on transaction analysis, they’ve managed to funnel roughly $270,000 in multiple cryptocurrencies into their crypto wallets,” he shared.

However, the real figure could be much larger, as the attackers also targeted Monero, a cryptocurrency renowned for its anonymity. The Trojan also has the ability to pilfer user account details and intercept all text messages, including two-factor authentication.

The Trojan infiltrates smartphone firmware before the device even reaches consumers. Some online vendors may unsuspectingly be selling these infected phones. “The supply chain is likely compromised at some point, so sellers may unknowingly be vending smartphones infected with Triada,” Kalinin conjectured.

As of now, Kaspersky researchers have detected 2,600 instances of this scam across several countries. The majority of these cases were encountered in Russia in the first quarter of 2025.

First discovered in 2016, the Triada malware is notorious for targeting financial apps and messaging services like WhatsApp, Facebook, and Google Mail. It is typically spread via malicious downloads and phishing schemes, according to cybersecurity firm Darktrace.

“The Triada Trojan has been around for a while and continues to be one of the most sophisticated and potent threats to Android,” emphasized Kalinin. Kaspersky Labs advises consumers to protect themselves by purchasing devices only from authorized distributors and immediately installing security solutions after purchase.

Other cybersecurity firms have been flagging novel forms of malware targeting crypto users. On March 28, Threat Fabric reported finding a new malware family that baits Android users into revealing their crypto seed phrases by launching a misleading overlay as it assumes control of the device.

Earlier, on March 18, tech behemoth Microsoft discovered a new remote access trojan (RAT) that targets cryptocurrency stored in 20 wallet extensions for the Google Chrome browser.

The post Beware of Fraudulent Phones Preloaded with Crypto-Stealing Malware appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

How Does Cthulhu Stealer Compromise macOS?

Cthulhu Stealer starts its attack by using osascript, a macOS tool, to extract passwords from the system’s Keychain. This stolen data, which includes information from various cryptocurrency wallets like MetaMask, Binance, and Coinbase, is compiled into a zip archive labeled with the user’s country code and attack timestamp. The malware also steals data from:

• Chrome extension wallets
• Minecraft user information
• Wasabi wallet
• Keychain passwords
• SafeStorage passwords
• Battlenet game, cache, and log data
• Firefox cookies
• Daedalus wallet
• Electrum wallet
• Atomic wallet
• Harmony wallet
• Enjin wallet
• Hoo wallet
• Dapper wallet
• Coinomi wallet
• Trust wallet
• Blockchain wallet
• XDeFi wallet
• Browser cookies
• Telegram Tdata account information

Additionally, it collects system information, such as IP address, system name, and OS version, which is then sent to a command and control (C2) server. This enables attackers to further refine their malicious activities.

Scammers Profit by Selling Cthulhu Stealer for $500/Month

Scammers exploit this malware by selling it as a service for $500 per month. They employ various tactics to deceive users into downloading the malware, such as posing as employers offering jobs that require software installation. These offers often create a sense of urgency, prompting users to quickly download and install the malware.

Protecting Against Cthulhu Stealer

To avoid falling victim to this threat, macOS users should install reliable antivirus software specifically designed for their system. It’s also crucial to be skeptical of job offers or other opportunities that demand immediate software downloads. Regularly updating your software can further mitigate the risk of malware infection.

The post Cthulhu Stealer: A Serious Threat to Cryptocurrency Wallets on macOS appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.