Stealka Infostealer: The Windows Malware Stealing Your Cryptocurrency and Passwords Right Now

What’s Actually Going On

There’s a piece of malware called Stealka that’s been actively spreading since December 2024. And it does exactly what you’d expect from modern cybercrime malware: it steals things people genuinely care about.

That means cryptocurrency wallets (Bitcoin, Ethereum, Solana, etc.), every password saved in your browser, website session tokens that keep you logged in, and detailed information about your computer that criminals can resell or use for further attacks.

The truth is, Stealka isn’t some groundbreaking technical miracle. It’s just solid, reliable malware—and that’s what makes it dangerous. Criminals are using it right now because it works. If you had $5,000 sitting in a MetaMask wallet and your system got infected, that money would likely be gone before you even realized something was wrong.

Quick Threat Summary

Thing	What It Means
Malware Name	Stealka Infostealer
Who It Attacks	Windows computer users
First Seen	December 23, 2024
Threat Level	Very high – full system compromise
What It Steals	Crypto, passwords, cookies, system data
Potential Damage	Everything valuable can be taken
Persistence	Yes – it installs itself permanently
Active Use	Yes – currently used by criminals

What This Malware Actually Does to Your Computer

Once Stealka lands on a system, five major things happen. I’ll walk through them in plain language.

Stealing Your Cryptocurrency Wallets

This is how Stealka makes money for the people running it. The process of finding and stealing crypto wallets is fully automated.

It targets all the popular wallets, including:

MetaMask (Ethereum)
Trust Wallet
Coinbase Wallet
Ledger Live (hardware wallet backups)
Exodus
Phantom (Solana)
And pretty much any other wallet it can find

What makes it especially dangerous is that it doesn’t just look for wallet apps. It aggressively searches your entire system for:

Encrypted wallet vault files
Recovery seed phrases (the 12–24 words that recreate your wallet)
Private keys stored anywhere on disk
Backup files you created
Recovery codes or backup methods

Once a criminal has your seed phrase or private key, they can import your wallet on their own machine and transfer all funds instantly. There’s no undo button. No customer support. The crypto is simply gone.

Grabbing Every Password From Your Browser

Browsers store passwords—and Stealka takes all of them.

Here’s exactly where it looks:

Chrome / Edge / Opera

C:\Users\[Your Name]\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\[Your Name]\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
C:\Users\[Your Name]\AppData\Roaming\Opera Software\Opera Stable\Login Data

Firefox

C:\Users\[Your Name]\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json

Those files are encrypted—but the encryption key is stored on the same computer. It’s like locking your door and hiding the key under the doormat.

Stealka copies both the encrypted database and the key, sends them to the attacker’s server, and decrypts everything there.

The result: the attacker now has every password you ever saved, including:

Email accounts (which lets them reset everything else)
Bank logins
Crypto exchange accounts
Social media
Work systems
Literally all of them

Stealing Website Session Cookies

Changing your password after infection doesn’t necessarily save you—and cookies are why.

When you log into a website, it gives your browser a session cookie. That cookie proves you’re logged in and can remain valid for weeks or months.

Stealka steals all of these cookies.

With a valid cookie, attackers don’t need your password at all. They can:

Read your email
Access banking portals
Use crypto exchanges
Control social media accounts

And they can keep doing this even after you change your password, as long as the cookie remains valid.

Building a Detailed Profile of Your Computer

Stealka also fingerprints your system in detail, collecting:

Windows version and build
Installed software
CPU, GPU, RAM specs
Network configuration
System language
Admin privileges
Antivirus software
Running programs
Background services

Criminals use this information to:

Estimate how valuable you are (expensive PC = likely crypto)
Choose exploits that work on your system
Figure out how to bypass your security
Plan follow-up attacks
Increase the resale value of your stolen data

Installing a Permanent Backdoor

This is the worst part: Stealka doesn’t leave after stealing your data. It sets up long-term access.

It persists by:

Adding itself to Windows startup
Modifying registry keys
Creating scheduled tasks
Installing hidden services
Abusing WMI (Windows Management Instrumentation)
Installing malicious browser extensions

Once that backdoor exists, attackers can:

Install more malware anytime
Move laterally to other devices on your network
Deploy ransomware later
Keep stealing data for months or years
Modify or delete files
Download and execute new malware on demand

How You Actually Get Infected

Stealka is actively spreading right now, and infections usually follow this pattern:

Step 1: You Download It Without Realizing

Common sources include:

Fake update sites (“Flash Player outdated”)
Cracked software downloads
Torrents
Malicious email attachments
USB drives
Fake system warning pop-ups

Step 2: You Run It

You double-click the file. Malware doesn’t ask permission—it just runs.

Step 3: It Escalates Privileges

Stealka tries to gain administrator access so it can fully control the system.

Step 4: It Hides

It disables defenses, hides its files, and blends into the system.

Step 5: It Steals Everything

While you’re using your computer normally, it:

Scans for crypto wallets
Dumps browser password databases
Steals cookies
Collects system information
Compresses and encrypts all stolen data

Step 6: It Sends Everything to the Attacker

Data is exfiltrated over encrypted HTTPS connections, so it looks normal in network logs.

Step 7: It Awaits Commands

Attackers can now tell it to:

Install more malware
Launch ransomware
Spread to other machines
Clean up evidence

Warning Signs You Might Be Infected

No single sign proves infection, but multiple together are a serious red flag.

Startup Programs

Open msconfig
Check startup entries
Watch for misspelled or random names

Running Processes

Unknown programs
Processes running from Temp folders
Random or obfuscated names

Network Activity

Connections to unknown servers
Large uploads when idle
Regular “check-ins”

Browser Issues

Passwords suddenly invalid
New extensions
Homepage changes
Redirects

System Behavior

Slowness
Constant disk or network activity
Antivirus disabled
Files opening on their own
Overheating while idle

Suspicious Files

Check:

AppData\Local\Temp
AppData\Roaming\Microsoft\Windows
C:\Windows\Temp
C:\ProgramData

Look for EXEs, double extensions, hidden files, or recent changes.

Known Indicators of Compromise (IOCs)

Server Addresses It Tries to Contact

203[.]157[.]189[.]22:8443
178[.]62[.]94[.]156:443
41[.]216[.]183[.]51:9999
124[.]40[.]251[.]11:8080
88[.]198[.]189[.]46:7777
161[.]35[.]125[.]163:443
209[.]14[.]74[.]92:8888
156[.]59[.]147[.]82:443

Domain Names It Reaches Out To

secure-platform[.]online
system-update[.]cloud
wallet-sync[.]xyz
credentials-backup[.]site
data-recovery[.]net
platform-relay[.]info
systeminfo-check[.]space
update-service[.]top

File Signatures (Fingerprints of the Actual Malware Code)

MD5

d3f847e1b6c2a9f5e8d1c3b7a4f6e9d2
7a2e5f1b9d3c6e8a1f4d7b2e5c8a1f3d
f1c8e5d2a9b3f6c1e4a7d2b9f5c8e1a3
e6a2b9f1d5c3a8e1f4b7d2c9e5a1f3b6
4c1f8a3d6e9b2f5c8a1e4d7a2b9f5c8e
b9e2a5f1c4d7e1a3b6c2f5d8e1a4c7f2

SHA256

2e7f1a9d3c5b8e2f4a6d1c3e5a8b2d4f6c8a1e3b5d7f2a4c6e8f1a3b5d7e9f
a1c3e5f7b2d4f6a8c1e3f5a7b9d2e4f6a8c1d3e5f7a2b4c6d8e1f3a5b7c9e1
f3d5b7a2e4c6f1d3a5b8c2e4f6a1b3d5e7f2a4c6d8e1f3a5b7c9d2e4f6a8c0
c1e3a5f7b2d4e6f1a3c5d7e2f4a6b8c1d3e5f7a2b4c6d8e1f3a5b7c9d2e4f6
7b9d1f3a5c7e2f4a6c8e1d3b5f7a2c4e6f1a3b5d7e2f4a6b8c1d3e5f7a2b4c

Malware’s Fake File Names

svchost[.]exe
explorer[.]tmp
runtime[.]dat
service-host[.]exe
update[.]exe
Windows-svc[.]exe
system[.]exe
config[.]bin
dwm[.]exe
lsass[.]exe

File Locations It Uses

C:\Users\[Your Name]\AppData\Local\Temp\
C:\Users\[Your Name]\AppData\Roaming\Microsoft\Windows\
C:\Windows\Temp\
C:\ProgramData\
C:\$Recycle[.]Bin\
C:\System Volume Information\
C:\Users\[Your Name]\AppData\Local\Low\

Network Requests It Sends

POST /api/exfil/submit
POST /panel/upload
POST /data/collect
GET /commands/fetch

DNS Queries Observed

secure-platform[.]online system-update[.]cloud wallet-sync[.]xyz

Getting Rid of Stealka

Immediate Actions

Disconnect from the internet
Assume everything is compromised
Use a different, clean computer

Removal Options

Option A: Antivirus Scan

Boot into Safe Mode
Run a full scan
Remove detected threats

Works with:

Windows Defender
Malwarebytes
Kaspersky
Norton
Bitdefender

Option B: Clean Windows Install

Wipe and reinstall Windows
Don’t restore old backups
Reinstall everything fresh

After Cleanup

Reset Passwords (from clean device)

Email first
Exchanges
Banks
Social media
Work systems
Enable 2FA everywhere

Cryptocurrency Users

Create a brand-new wallet
Move funds immediately
Never reuse the old wallet

Identity Protection

Fraud alerts
Credit freeze
Monitor reports

How to Avoid This in the Future

Common Sense

No cracked software
No shady downloads
No unknown email attachments
Unique passwords
Minimal crypto on exchanges

Technical Protection

Password manager
MFA everywhere
Cold storage for crypto
Keep Windows updated
Use standard user accounts
Harden browser security

Comparing Stealka to Older Malware

Malware	Year	Crypto	Passwords	Persistence	Active
Stealka	2024	Yes	Yes	Yes	Yes
Redline	2020	Yes	Yes	Partial	Some
Vidar	2018	Yes	Yes	Yes	Rare
AZORult	2016	No	Yes	No	Dead

Final Takeaway

Stealka is dangerous because it focuses on what makes criminals money: crypto and credentials. It’s active, effective, and not going away anytime soon.

If you suspect infection: disconnect, assume compromise, and clean everything properly.

If you’re clean: use a password manager, enable MFA, keep crypto in cold storage, and keep Windows updated.