Security

User Endpoints Compromised by LeakyInjector LeakyStealer Malware Duo

The LeakyStealer malware family uses low-level API injection via LeakyInjector to bypass detection and systematically drain browser-based crypto wallets.
November 13, 20253 min

The image displays a highly detailed, close-up perspective of a futuristic, metallic and translucent blue technological apparatus. Its modular construction showcases intricate silver and dark blue components, accented by internal glowing blue light emanating from transparent sections
A spherical object, predominantly translucent blue, is textured with scattered white granular particles and intricate silver-lined patterns. A distinct diagonal silver channel bisects the object, revealing deeper blue tones within its structure

Briefing

A new, sophisticated two-stage malware operation, identified as LeakyInjector and LeakyStealer, is actively targeting user endpoints to compromise digital asset holdings. LeakyInjector acts as the initial vector, utilizing low-level API injection to evade standard security protocols before deploying the second-stage LeakyStealer payload into the explorer.exe process. The primary consequence is the systematic reconnaissance and data exfiltration of credentials and private keys from multiple browser-based crypto wallet extensions. This highly methodical attack represents a critical escalation in user-side threat complexity, moving beyond simple phishing to deep system infection.

A clear, angular shield with internal geometric refractions sits atop a glowing blue circuit board, symbolizing the security of digital assets. This imagery directly relates to the core principles of blockchain technology and cryptocurrency protection

Context

The prevailing risk for most retail and institutional users has long been the compromise of browser-based wallet extensions, which maintain hot keys and are vulnerable to process-level attacks. Prior to this new family, many threat actors relied on simpler phishing or social engineering to acquire seed phrases, making the attack surface primarily human-centric. This new malware shifts the attack vector to the operating system’s process space, indicating a failure of traditional endpoint detection systems to flag the initial low-level injection.

The image displays a complex 3D abstract structure comprising white spheres, thick white tubes, and metallic wires surrounding a central cluster of blue cubes. A distinct blue sphere is also connected by wires

Analysis

The attack chain begins with LeakyInjector, which leverages low-level Windows APIs to achieve stealthy code injection, effectively bypassing basic heuristic detection mechanisms. Once established, LeakyInjector injects the LeakyStealer payload directly into a core system process, specifically explorer.exe , to mask its malicious activity as legitimate system function. LeakyStealer then performs targeted reconnaissance, scanning the infected machine for files associated with numerous crypto wallet browser extensions and the user’s browser history.

This allows the malware to systematically harvest sensitive data, including session tokens, private keys, and potentially seed phrases, for subsequent exfiltration and asset theft. The success of the exploit hinges on the stealth of the initial injection and the co-opting of a trusted system process.

The image displays a series of interconnected, translucent blue spheres, some with a textured surface, forming a chain-like structure against a soft grey background. From a prominent central sphere, multiple metallic, rod-like probes extend outwards, suggesting intricate connectivity

Parameters

  • Injected Process → explorer.exe
  • Primary Attack Method → Low-level API Injection
  • Targeted Data → Crypto Wallet Extensions and Browser History
  • Malware Families → LeakyInjector and LeakyStealer

Close-up view of intricate metallic modular components, primarily silver with distinct blue highlights, embedded within a light blue, porous, and textured material. These modules are arranged linearly, suggesting a complex, interconnected system partially submerged in the foamy substance

Outlook

Users must immediately audit all active browser extensions, revoke permissions for non-essential applications, and ensure all operating system and antivirus software is updated to the latest versions capable of detecting low-level API calls. This incident establishes a new, higher baseline for required endpoint security, moving the focus from network-level phishing to deep-seated process injection. Protocols and dApps must now consider the security of the user’s endpoint as a critical component of their overall risk model, potentially leading to the adoption of more robust hardware-wallet-only transaction signing requirements.

A close-up reveals a detailed, futuristic hardware component with a prominent dark screen and metallic blue textured casing. The intricate circuitry and connection ports suggest advanced functionality for digital systems

Verdict

The emergence of the LeakyStealer family signifies a critical shift from human-centric social engineering to sophisticated, system-level malware, demanding an immediate and complete overhaul of user endpoint security protocols.

malware family, endpoint security, wallet drainer, browser extension, API injection, information stealer, threat actor, user compromise, crypto wallet, digital asset, low-level API, reconnaissance, crypto theft, data exfiltration, cyber threat, attack vector, private key, seed phrase, system infection, security posture, process injection, multi-stage attack, system process, credential harvesting, anti-virus evasion, user data, operating system, security protocol, heuristic detection, malicious payload Signal Acquired from → thehackernews.com

Micro Crypto News Feeds

security protocols

Definition ∞ Security protocols are sets of rules and procedures designed to protect data, systems, and networks from unauthorized access, use, disclosure, disruption, modification, or destruction.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

crypto wallet

Definition ∞ A crypto wallet is a digital tool used to manage cryptocurrency assets.

private keys

Definition ∞ Private keys are secret cryptographic codes that grant exclusive access and control over a user's digital assets on a blockchain.

api

Definition ∞ An API, or Application Programming Interface, is a set of rules and protocols that allows different software applications to communicate with each other.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

endpoint security

Definition ∞ Endpoint security refers to the protection of individual devices, such as computers, smartphones, and servers, connected to a network.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: