Stealka is a newly identified Windows infostealer malware that cybercriminals distribute by disguising it as pirated software, game cheats, and mods on popular legitimate platforms such as GitHub, SourceForge, and others. The malware requires manual execution by the user, typically tricked into running files labeled as cracks or mods for popular games and software. Once executed, Stealka targets sensitive data primarily stored in browsers built on Chromium and Gecko engines, affecting over 100 browsers including Chrome, Firefox, Edge, Opera, Brave, and Yandex Browser. It extracts autofill data, login credentials, payment card details, cookies, and session tokens, enabling attackers to hijack accounts and bypass two-factor authentication. Beyond browsers, Stealka targets 115 browser extensions related to cryptocurrency wallets (e.g., Binance, MetaMask, Coinbase), password managers (e.g., 1Password, Bitwarden, LastPass), and 2FA apps (e.g., Authy, Google Authenticator). It also steals local files and configurations from approximately 80 crypto wallet applications, messaging apps (Discord, Telegram), password managers, email clients (Outlook, Thunderbird), note-taking apps, gaming clients (Steam, Roblox), and VPN clients (ProtonVPN, OpenVPN). This extensive data harvesting allows attackers to steal cryptocurrency, hijack accounts, read private messages, and potentially spread the malware further through compromised accounts. Stealka also collects system information and takes screenshots to gather additional intelligence. The malware’s distribution via trusted platforms and convincing fake websites increases the likelihood of infection, especially among users seeking pirated software or game modifications. The threat does not require elevated privileges but depends on user interaction to execute the malware. No known exploits in the wild have been reported yet, but the potential for widespread impact is significant due to the broad targeting scope and valuable data stolen.

For European organizations, Stealka poses a significant risk to confidentiality and financial security. The theft of browser-stored credentials and session tokens can lead to widespread account hijacking, including corporate email, cloud services, and financial platforms. The targeting of cryptocurrency wallets and related extensions threatens direct financial losses through crypto theft. Compromise of password managers and 2FA apps undermines multi-layered security controls, increasing the risk of unauthorized access to critical systems. Messaging app data theft can expose sensitive communications, potentially leading to espionage or reputational damage. The malware’s ability to spread via compromised accounts can facilitate lateral movement within organizations, escalating the threat. Given the prevalence of remote work and reliance on cloud and browser-based applications in Europe, the impact on operational integrity and data privacy is considerable. Additionally, the use of legitimate platforms for distribution complicates detection and response efforts. Organizations in Europe may face regulatory consequences under GDPR if personal data is compromised. The threat also endangers individual users who may be targeted through gaming communities or software piracy, potentially leading to broader societal impacts.

European organizations and users should implement a multi-layered defense strategy against Stealka. First, enforce strict policies against the use of pirated software and unauthorized game mods, combined with user education campaigns highlighting the risks of downloading software from untrusted sources. Deploy advanced endpoint protection solutions capable of detecting and blocking infostealers, including heuristic and behavior-based detection to identify disguised malware on legitimate platforms. Encourage users to avoid storing sensitive data such as passwords, payment details, and backup codes in browsers; instead, use reputable password managers with strong encryption. Enable and enforce two-factor authentication across all critical accounts, ensuring backup codes are stored securely outside browsers or plain text files. Regularly audit installed browser extensions and remove those that are unnecessary or from untrusted sources, especially those related to crypto wallets and password management. Implement network monitoring to detect unusual outbound connections indicative of data exfiltration. Employ application whitelisting to prevent unauthorized execution of unknown binaries. Conduct regular security awareness training focused on phishing and social engineering tactics used to trick users into running malicious files. Finally, maintain up-to-date software and operating systems to reduce the attack surface and leverage threat intelligence feeds to stay informed about emerging variants of Stealka and similar threats.