Security

User Endpoints Compromised by LeakyInjector LeakyStealer Malware Duo

The LeakyStealer malware family uses low-level API injection via LeakyInjector to bypass detection and systematically drain browser-based crypto wallets.
November 13, 20253 min

The image displays a close-up of a high-tech electronic connector, featuring a brushed metallic silver body with prominent blue internal components and multiple black cables. Visible within the blue sections are intricate circuit board elements, including rows of small black rectangular chips and gold-colored contacts
An abstract digital artwork displays a central, spiky cluster of blue, faceted crystalline forms, surrounded by multiple smooth white spheres. Thin white and blue lines connect these elements, with some spheres featuring orbital rings, all set against a blurred dark blue background with small white dots

Briefing

A new, sophisticated two-stage malware operation, identified as LeakyInjector and LeakyStealer, is actively targeting user endpoints to compromise digital asset holdings. LeakyInjector acts as the initial vector, utilizing low-level API injection to evade standard security protocols before deploying the second-stage LeakyStealer payload into the explorer.exe process. The primary consequence is the systematic reconnaissance and data exfiltration of credentials and private keys from multiple browser-based crypto wallet extensions. This highly methodical attack represents a critical escalation in user-side threat complexity, moving beyond simple phishing to deep system infection.

Two futuristic, modular white components are shown in close connection, revealing glowing blue internal mechanisms against a dark blue background with blurred, ethereal shapes. This visual emphasizes the complex protocol integration essential for robust blockchain interoperability and scalable network architecture

Context

The prevailing risk for most retail and institutional users has long been the compromise of browser-based wallet extensions, which maintain hot keys and are vulnerable to process-level attacks. Prior to this new family, many threat actors relied on simpler phishing or social engineering to acquire seed phrases, making the attack surface primarily human-centric. This new malware shifts the attack vector to the operating system’s process space, indicating a failure of traditional endpoint detection systems to flag the initial low-level injection.

The image displays a series of interconnected, translucent blue spheres, some with a textured surface, forming a chain-like structure against a soft grey background. From a prominent central sphere, multiple metallic, rod-like probes extend outwards, suggesting intricate connectivity

Analysis

The attack chain begins with LeakyInjector, which leverages low-level Windows APIs to achieve stealthy code injection, effectively bypassing basic heuristic detection mechanisms. Once established, LeakyInjector injects the LeakyStealer payload directly into a core system process, specifically explorer.exe , to mask its malicious activity as legitimate system function. LeakyStealer then performs targeted reconnaissance, scanning the infected machine for files associated with numerous crypto wallet browser extensions and the user’s browser history.

This allows the malware to systematically harvest sensitive data, including session tokens, private keys, and potentially seed phrases, for subsequent exfiltration and asset theft. The success of the exploit hinges on the stealth of the initial injection and the co-opting of a trusted system process.

The image showcases a high-tech, metallic and blue-bladed mechanical component, heavily encrusted with frost and snow around its central hub and blades. A polished metal rod extends from the center, highlighting the precision engineering of this specialized hardware

Parameters

  • Injected Process → explorer.exe
  • Primary Attack Method → Low-level API Injection
  • Targeted Data → Crypto Wallet Extensions and Browser History
  • Malware Families → LeakyInjector and LeakyStealer

The image displays a composition of metallic, disc-like components and intricate, translucent blue organic forms, all interconnected by flowing silver tubes. The background is a gradient of grey tones, providing a clean, high-tech aesthetic

Outlook

Users must immediately audit all active browser extensions, revoke permissions for non-essential applications, and ensure all operating system and antivirus software is updated to the latest versions capable of detecting low-level API calls. This incident establishes a new, higher baseline for required endpoint security, moving the focus from network-level phishing to deep-seated process injection. Protocols and dApps must now consider the security of the user’s endpoint as a critical component of their overall risk model, potentially leading to the adoption of more robust hardware-wallet-only transaction signing requirements.

The image presents a detailed perspective of complex blue electronic circuit boards interconnected by numerous grey cables. Components like resistors, capacitors, and various integrated circuits are clearly visible across the surfaces of the boards, highlighting their intricate design and manufacturing precision

Verdict

The emergence of the LeakyStealer family signifies a critical shift from human-centric social engineering to sophisticated, system-level malware, demanding an immediate and complete overhaul of user endpoint security protocols.

malware family, endpoint security, wallet drainer, browser extension, API injection, information stealer, threat actor, user compromise, crypto wallet, digital asset, low-level API, reconnaissance, crypto theft, data exfiltration, cyber threat, attack vector, private key, seed phrase, system infection, security posture, process injection, multi-stage attack, system process, credential harvesting, anti-virus evasion, user data, operating system, security protocol, heuristic detection, malicious payload Signal Acquired from → thehackernews.com

Micro Crypto News Feeds

security protocols

Definition ∞ Security protocols are sets of rules and procedures designed to protect data, systems, and networks from unauthorized access, use, disclosure, disruption, modification, or destruction.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

crypto wallet

Definition ∞ A crypto wallet is a digital tool used to manage cryptocurrency assets.

private keys

Definition ∞ Private keys are secret cryptographic codes that grant exclusive access and control over a user's digital assets on a blockchain.

api

Definition ∞ An API, or Application Programming Interface, is a set of rules and protocols that allows different software applications to communicate with each other.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

malware

Definition ∞ Malware is malicious software designed to infiltrate and damage computer systems or steal sensitive information.

endpoint security

Definition ∞ Endpoint security refers to the protection of individual devices, such as computers, smartphones, and servers, connected to a network.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: