Stealka is a newly identified Windows infostealer malware discovered in November 2025 that primarily spreads by masquerading as pirated software, game cheats, and mods. Attackers distribute it through legitimate platforms such as GitHub, SourceForge, and Google Sites, often using social engineering techniques including fake professional-looking websites and false antivirus scan banners to lure victims into manually executing the malware. Once executed, Stealka targets data stored in browsers based on Chromium and Gecko engines, which includes over 100 browsers like Chrome, Firefox, Edge, Opera, Brave, and Yandex. It steals autofill data, login credentials, payment card details, cookies, and session tokens, enabling attackers to hijack accounts and bypass two-factor authentication. Beyond browsers, Stealka targets 115 browser extensions related to cryptocurrency wallets (e.g., Binance, MetaMask, Coinbase), password managers (e.g., 1Password, Bitwarden, LastPass), and two-factor authentication apps (e.g., Authy, Google Authenticator). It also extracts local files and configurations from a wide range of applications including crypto wallets (e.g., Bitcoin, Ethereum, Monero), messaging apps (e.g., Discord, Telegram), email clients (e.g., Outlook, Thunderbird), gaming clients (e.g., Steam, Roblox), and VPN clients (e.g., ProtonVPN, OpenVPN). This extensive data harvesting allows attackers to steal cryptocurrencies, hijack accounts, read private messages, and potentially escalate attacks. The malware also collects system information and takes screenshots to gather further intelligence. Although no known exploits in the wild have been reported, the malware’s distribution method relies on user interaction, specifically running the malicious file. The threat is exacerbated by the use of trusted platforms for distribution and sophisticated social engineering. Defenders should be aware of the broad attack surface and the malware’s ability to compromise multiple layers of user data and credentials.

For European organizations, Stealka poses a significant threat to the confidentiality and integrity of sensitive data, especially for employees who may download unauthorized or pirated software. The malware’s ability to steal browser credentials and session tokens can lead to widespread account hijacking, including corporate email, VPN access, and cloud services, potentially enabling lateral movement within networks. The theft of cryptocurrency wallet data threatens financial assets, which is particularly relevant for organizations or individuals involved in crypto trading or holding. The compromise of password managers and 2FA apps undermines multi-factor authentication defenses, increasing the risk of account takeovers. Messaging app data theft could expose sensitive communications, while VPN credential theft can facilitate stealthy attacker access. The use of legitimate platforms for distribution increases the risk of infection even in organizations with standard security controls. This threat could lead to financial losses, reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The extensive targeting of gaming and modding communities also suggests potential spillover risks to organizations with employees engaged in these activities, increasing the attack surface.

European organizations should implement multi-layered defenses tailored to this threat: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting infostealer behaviors and block execution of unauthorized software, especially from untrusted sources. 2) Enforce strict application control policies to prevent execution of pirated software, game cheats, and unauthorized mods. 3) Educate employees about the risks of downloading software from unofficial sources and the tactics used by attackers, including fake websites and false antivirus scan banners. 4) Prohibit storing sensitive credentials and payment information in browsers; instead, use enterprise-grade password managers with strong encryption and secure vaults. 5) Mandate the use of hardware-based or app-based multi-factor authentication methods and ensure backup codes are stored securely outside browsers or plaintext files. 6) Monitor network traffic for unusual outbound connections to known malicious command and control servers associated with Stealka. 7) Regularly audit installed browser extensions and remove unnecessary or untrusted ones, especially those related to crypto wallets and password management. 8) Implement strict controls and monitoring on VPN usage and credentials to detect potential hijacking. 9) Keep all software, including browsers and extensions, up to date with security patches. 10) Consider deploying threat intelligence feeds to detect and block known Stealka distribution URLs and hashes. 11) Encourage reporting and rapid incident response to suspected infections to limit lateral movement and data exfiltration.