Quick Take
- Stealka is an infostealer that Kaspersky links to pirated Roblox mods, cheats, and cracks shared across common download and code hosting sites.
- The malware targets browser stored data, wallet extensions, and standalone wallet files, including keys, seed phrases, and login tokens.
- Kaspersky detections hit Windows machines in November 2025, with most targets in Russia and additional detections in Türkiye, Brazil, Germany, and India.
Stealka Appears in Pirated Roblox Mods and Game Cheats
A new strain of infostealer malware called Stealka is being distributed through pirated mods and cheat tools for Windows games, including Roblox related downloads, according to research published by cybersecurity firm Kaspersky.
The company’s write up describes Stealka as malware packaged inside unofficial mods, cracks, and similar downloads that circulate outside official channels. Distribution has shown up across places users often visit for software and projects, including GitHub, SourceForge, Softpedia, and sites.google.com, based on Kaspersky’s findings.
Kaspersky expert Artem Ushkov told Decrypt that detections were recorded by the company’s endpoint protection tools on Windows machines in November 2025.
Browsers and Wallet Extensions Sit at the Center of the Theft
Stealka’s main focus is browser data. Kaspersky’s research says the malware targets information stored in Chrome, Firefox, Opera, Yandex Browser, Edge, and Brave, along with the settings and databases tied to more than 100 browser extensions.
That extension list includes crypto wallet tools associated with Binance, Coinbase, MetaMask, Crypto.com, and Trust Wallet, according to Kaspersky’s report. The same targeting also reaches common security utilities, including password managers such as 1Password, NordPass, and LastPass, plus authentication tools such as Google Authenticator, Authy, and Bitwarden.
The collection does not end at extensions. Kaspersky says Stealka can also extract encrypted private keys, seed phrase data, and wallet file paths from standalone wallet apps. The firm referenced software including Binance, Exodus, MyCrypto, and MyMonero, plus wallets tied to networks such as Bitcoin, Dogecoin, Ethereum, Monero, Novacoin, and Solar.
Messaging Apps, Email Clients, and VPN Tools Also Listed
The same malware family also targets other applications that can hold access tokens or sensitive account data. Kaspersky’s list includes messaging apps such as Discord and Telegram, along with password managers, email clients, notetaking apps, and VPN clients.
Examples cited in the report include Mailbird, Outlook, and “Gmail Notifier Pro,” plus notetaking tools such as Microsoft Sticky Notes. VPN clients listed include OpenVPN, ProtonVPN, and WindscribeVPN.
Detections Reported Across Multiple Countries
Ushkov told Decrypt that most of the users targeted by Stealka were based in Russia. He also said detections have appeared in Türkiye, Brazil, Germany, and India.
On losses, Ushkov said Kaspersky does not have figures tied to confirmed stolen crypto linked to Stealka so far. He also said the company’s security tools block Stealka samples when detected, according to the same reporting.
Steps Kaspersky Recommends to Reduce Risk
Kaspersky’s guidance centers on download hygiene and account hardening. The firm’s blog advises avoiding unofficial and pirated mods, cheats, and cracks, along with using reputable antivirus software.
The guidance also recommends limiting sensitive information stored in browsers and enabling two factor authentication where available. Backup codes matter as well, with Kaspersky advising users to store them outside browsers and outside plain text documents.
