New Malware Poses as Roblox Mods to Steal Crypto Credentials

Hackers are inserting infostealer malware into pirated mods for Roblox and other games, according to research from cybersecurity company Kaspersky.

A blog post from Kaspersky reveals that it has identified a new variety of infostealer called Stealka, which it has so far encountered on distribution platforms such as GitHub, SourceForge, Softpedia and sites.google.com.

Disguised as unofficial mods, cheats and cracks for Windows-based games and other apps, Stealka exfiltrates sensitive login and browser information, which its operators can use to steal crypto.

Crypto wallets targeted

The malware primarily targets data contained by browsers such as Chrome, Firefox, Opera, Yandex Browser, Edge, Brave, as well as the settings and databases of over 100 browser extensions.

Such extensions include cryptocurrency wallets from Binance, Coinbase, MetaMask, Crypto.com and Trust Wallet, as well as password managers (1Password, NordPass, LastPass) and 2FA apps (Google Authenticator, Authy, Bitwarden).

In fact, Stealka’s reach doesn’t stop with browser extensions, since it can also lift (encrypted) private keys, seed phrase data and wallet file paths from standalone cryptocurrency wallet apps.

This includes apps from Binance, Exodus, MyCrypto and MyMonero, as well as wallet apps for Bitcoin, BitcoinABC, Dogecoin, Ethereum, Monero, Novacoin and Solar.

Away from crypto, the Stealka malware has the ability to steal data and authentication tokens for messaging apps (e.g. Discord and Telegram), password manager apps (e.g. 1Password, Bitward, LastPass), email clients (e.g. Gmail Notifier Pro, Mailbird, Outlook), notetaking apps (NoteFly, Notezilla, Microsoft StickyNotes), and VPN clients (e.g. OpenVPN, ProtonVPN, WindscribeVPN).

Speaking to Decrypt, Kaspersky cybersecurity expert Artem Ushkov explained that the new malware “was detected by Kaspersky endpoint protection solutions on Windows machines in November 2025.”

As is the case with similar malware, Ushkov reports that most of the users targeted by Stealka are based in Russia.

“However, attacks by the malware have also been detected in other countries, including Türkiye, Brazil, Germany and India,” he added.

How to stay safe

In view of the threat Stealka, Kaspersky advises in its blog that, aside from using reputable antivirus software, users should steer clear of unofficial and pirated mods.

The blog also advises against storing important info in browsers, and urges users to employ two-factor authentication wherever available, while also making use of backup codes (but without storing them on browsers or in text documents).

While Stealka’s potential for stealing info and, by extension, crypto seems intimidating, there’s currently no indication that it has resulted in significant losses.

“We are not aware of the amount of crypto that has been stolen using it,” said Ushkov. “Our solutions protect against this threat: all detected Stealka malware was blocked by our solutions.”