GAS: 0.0552 Gwei
Security by James Chatfield // Senior News Editor

New Infostealer Malware Strain Targets Crypto Wallets via Fake Installers

A new malware strain disguised as software installers is actively targeting local wallet files and browser extension data to exfiltrate private keys.

A sophisticated new strain of information-stealing malware has been identified in the wild, specifically engineered to bypass browser protections and scrape cryptocurrency private keys directly from infected devices. The threat, detailed in a recent cybersecurity roundup, marks a shift from passive phishing to active, binary-level exfiltration.

The Attack Vector: Malicious Installers

Unlike browser-based drainers that rely on user approval of malicious transactions, this new strain operates at the file system level. Security researchers report the malware is primarily distributed through compromised software installers, often disguised as legitimate utilities, pirated software, or game mods.

Once executed, the payload does not immediately trigger ransomware tactics. Instead, it silently scans specific directories known to house hot wallet data. The target list includes:

  • Browser Extension Data: The malware targets the Local State and Login Data files of Chromium-based browsers to decrypt saved passwords and seed phrases stored by extensions like MetaMask and Phantom.
  • Desktop Wallets: It hunts for wallet.dat files and unencrypted keystores associated with desktop clients like Exodus or Electrum.

Evolution of Threat Specificity

This development represents a maturation in crypto-targeting malware. While previous campaigns like RedLine or Raccoon Stealer cast a wide net for credit card data, this strain exhibits purpose-built logic for identifying crypto assets. The malware distinguishes between custodial exchange logins and non-custodial wallet files, prioritizing the latter for immediate exfiltration to Command and Control (C2) servers.

The malware’s goal is to exfiltrate sensitive data such as private keys, seed phrases, and wallet files from infected devices.

The rise of this specific vector correlates with a broader trend of supply-chain attacks, where attackers poison the distribution channels of legitimate software rather than attacking the software itself. Users relying on software wallets without hardware isolation (e.g., Ledger, Trezor) remain the primary demographic at risk.

> ABOUT_THE_AUTHOR _

James Chatfield

// Senior News Editor

I lead the editorial team covering digital assets and blockchain regulation at CryptoWatchDaily. After earning a Journalism degree from The University of Sheffield, I spent a decade reporting on traditional finance before shifting focus to crypto. I value accuracy and clarity over hype. When I’m not tracking market movements, I enjoy distance running and collecting vintage sci-fi novels.

VIEW_PROFILE >>

RELATED INTELLIGENCE

Trust Wallet Flags Chrome Extension Hack as Hidden Script Steals Keys

Trust Wallet Flooded With Fake Claims After $7M Extension Hack

Australian Exchange DAEX Enters Liquidation; Creditors Left in Limbo