new malware steals cryptocurrencies, passwords and files from your computer

With more than 25 samples discovered in the wild, the malware was dubbed Luca Stealer is becoming a serious threat to digital security. This was confirmed by Cyble a company dedicated to monitoring cybercrime in real time.

To summarize, the malware is capable of attacking several Chromium-based browsers. But that’s not all, it can also attack messaging apps, wallets of cryptocurrencies, gaming applications and recently the ability to steal files from its victims. A very versatile system that demonstrates the capabilities of its programming language.

Luca Stealer is developed in Rust and has a detection rate of 22%. But that’s not the worst. It turns out that the developer behind the malicious code made it available to everyone by publishing its source code on GitHub, where many have taken the opportunity to grab it and give it their own shape.

So far, Luca Stealer’s code has been updated three times. Its creator has also posted a tutorial so anyone with knowledge can modify the malware and exploit its code for their own purposes. In fact, according to Cyble, the malware was still being updated at the time of the report.

Luca Stealer, the unknown malware that scares IT experts


Nothing is safe from the clutches of Luca Stealer. The aforementioned media reported that since it was discovered, attempted to steal information from over 20 Chromium-based browsers. There is of course a focus on data relating to credit cards, login information and browser cookies.

However, he has that too was discovered on Discord, Ubisoft Play, Telegram. It was also reported that he was able to steal information from wallets of “cold” and “hot” cryptocurrencies. The latter are of course riskier because they are browser extensions.

What is Luca Stealer’s modus operandi? The malware is known for installed on the computer as an external extension in the browser of your choice. As a jerk, it starts stealing data from other apps on the system, even taking screenshots and saving them as .png for use by remote operators.

Each browser extension has a unique ID that can be used to find the necessary extensions in the browser folder in the “AppData” folder. The thief takes the extensions mentioned in the figure below if they are present on the victim’s system.

Well-known cryptocurrency wallets such as MetaMask, iWallet, BinanceChain and others are Luca Stealer’s primary targets. When it comes to password managers, we also find Norton Password Manager, 1Password, NordPass, LastPass and many more on the list. A real terror to fall into the hands of this malware.

Is anyone safe from Lucas the thief?

The main affected people seem to be Windows users as usual. Thus, it has been discovered that those using Linux or macOS as their primary operating systems are not within the ambit of Luca Stealer. In fact, it is said that thanks to the use of Rust as a programming language, this malware will not be able to compromise the information of these users.

Attention, it is not out of the question that Luca Stealer may develop against other systems in the future. After all, the code is now in the hands of potentially millions of people, so anyone with enough knowledge can promote the malware.

Recommendations for your protection

Cyble published a series of recommendations to follow to keep your privacy as intact as possible. Of course, it is not always possible to protect oneself from the virus, but we are asked to do everything we can.

  • Avoid downloading files from untrusted sources.
  • Clear browsing history and reset passwords periodically.
  • Enables the automatic software update feature on your computer, mobile and other connected devices.
  • Use reputable antivirus and internet security software on your connected devices, including your computer, laptop and mobile.
  • Avoid opening links and attachments in untrustworthy emails without verifying their authenticity.
  • Teach employees how to protect themselves from threats such as phishing or untrusted URLs.
  • Blocks URLs that can be used to distribute malware, e.g. Torrent/Warez.
  • Monitor the beacon at the network level to block data exfiltration by malware or TAs.
  • Enable the Data Loss Prevention (DLP) solution on employee systems.

Leave a Comment