Alert: New Malware ‘Mars Stealer’ Targets 2FAs and Crypto Hot Wallets   

A new information-stealing malware has been spotted in the wild targeting over 40 crypto hot wallets, browsers, and 2-factor authentication (2FA) plug-ins. Named ‘Mars Stealer’, it is an improved version of the older Oski malware that shut down in 2020 after customer support and the Telegram went dark.

The new malware has recently been spotted circulating on Russian-speaking hacking forums where people can purchase it for between US$140 and $160.

Screenshot of the forum. Source:

How ‘Mars Stealer’ Malware Works

According to @3xp0rt, the security researcher who got his/her hands on the malware to conduct technical analysis on it, the Mars Stealer collects information in the memory of a device. With the ability to target 37 browsers and various crypto wallets, including Bitcoin core wallets and all their derivatives as well as Ethereum, Exodus, Binance and more, the threat is widespread:

Wallets targeted by Mars Stealer. Source:

When targeting wallets it stores sensitive data found in wallet.dat which contains the wallet address, the private key to access the address, and other sensitive data. Mars Stealer also targets 2FA apps and more than 40 crypto extensions on Chromium-based browsers, including Google Chrome, Firefox and Brave, but not Opera.


Malware That ‘Speaks’ Only Russian

The malware also contains a function that allows it to remove itself after it has successfully executed or when the operator decides it is time. One of the quirky aspects, though, is that after infecting a system it will check the device language. If the device’s language ID matches that of Russia, Belarus, Kazakhstan, Azerbaijan, Uzbekistan or Kazakhstan, the program will exit without performing any malicious acts, which is apparently common in many Russian-based malware.

Language checks for target exclusion

How to Protect Yourself 

Mars Stealer can be spread through many different channels such as file-hosting websites, torrent clients or any other shady downloaders. Users who hold their crypto assets on browser-based wallets or use browser extensions like Authy to utilise 2FA are warned to be cautious against clicking dubious links or downloads:

This comes after BHUNT malware also became more prominent during the past few weeks and Babadeda malware was spread in crypto discord channels last November.

Robert Drage

Robert Drage

Robert is a freelance researcher, with a background in information science currently interested in blockchain technology and technical developments in the field.

You may also like