Mars Stealer Malware: What You Need to Know

| 6 min read
Mars Stealer Malware

Online non-custodial wallets are a popular way to store crypto. They’re easy to use and can be connected to different dApps. They give you a lot of freedom in the crypto space. But there are also security risks with wallet extensions like MetaMask, Binance Chain Wallet, and Keplr. Mars Stealer is malware specifically built to steal private keys, wallet addresses, and even 2FA data from non-custodial browser wallets.

Key Takeaways

  • Mars Stealer is an evolution of the Oski trojan (2019) and specifically targets private keys, wallet data, and 2FA information from browser extensions.

  • The malware is sold cheaply on the dark web, making it easily accessible to cybercriminals worldwide.

  • Mars Stealer spreads through phishing emails, malicious websites, and torrents, often disguised as legitimate software or a downloadable .exe file.

  • The program performs checks to avoid detection, shuts down on suspicious system settings, and deletes traces to stay hidden.

  • Targets include popular wallets and 2FA browser plugins such as MetaMask, Keplr, Binance Chain Wallet, Jaxx Liberty, Coinbase Wallet, and Authy.

What is Mars Stealer?

Mars Stealer is malware that steals valuable information from external wallets like MetaMask and Keplr. This includes private keys that give access to all your crypto. The software can be purchased on the dark web for around $140, making it easy for cybercriminals to get their hands on it. For victims, the impact can be huge: if your crypto wallet is infected, you could log in and suddenly see a zero balance. The ultimate nightmare for many HODLers.

How does Mars Stealer malware work?

Mars Stealer often looks like legitimate software but typically arrives via a phishing email. Once installed, the malware scans your browser profiles and extensions for wallet data and private keys. This information is then sent to the attacker, who cleans up any traces, leaving you with one clear sign: an empty wallet.

The process of Mars Stealer

A cybercriminal sends you an email with an attachment or a download link. When launched, Mars Stealer first performs simple checks to see if it’s running on a regular user machine or in an analysis environment. It looks at system language settings and checks for signs of running in a virtual machine (VM) or under a debugger. If it detects language settings or signals from certain regions (like some former Soviet states) or forensic/analysis environments, it often shuts down immediately and deletes itself. This reduces the chance of being studied by security researchers while increasing the chances of infecting victims elsewhere.

If Mars Stealer continues, it starts scanning. The software specifically searches browser profiles and extension folders for wallet data, private keys, and 2FA info. This data is collected, encrypted, and sent to a C2 server. Finally, the process removes temporary files and traces, so victims usually only notice when their wallet is already empty.

Targets of Mars Stealer

Mars Stealer goes after nearly all known software wallets, including: TronLink, MetaMask, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Wombat, MEW CX, Guild Wallet, Saturn Wallet, Ronin Wallet, Neoline, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, Leaf Wallet, DAppPlay, BitClip, Steem Keychain, Nash Extension, Hycon Lite Client, ZilPay, and Coin98 Wallet.

It also targets 2FA browser plugins, including: Authenticator, Authy, EOS Authenticator, GAuth Authenticator, and Trezor Password Manager.

How did Mars Stealer malware originate?

Mars Stealer is the successor of the Oski trojan from 2019. While Oski mainly stole personal data, Mars Stealer focuses directly on browsers and extensions.

What makes Mars Stealer dangerous?

Mars Stealer is dangerous because it can operate unnoticed, so victims often only realize they’ve been targeted when their wallet is empty or their account is inaccessible. On top of that, the malware is constantly being developed and spread in new variants, making it hard to detect and a major threat.

How does Mars Stealer malware spread?

Mars Stealer malware spreads through phishing emails, malicious download sites, and torrents. It’s often disguised as a downloadable .exe file, typically pretending to be a movie or software package.

How can you protect yourself from Mars Stealer?

The good news is that you have a lot of control over whether you become a victim of Mars Stealer malware. If you want to stay safe with crypto, stick to these basics:

  • Only download software from official and legal sources.

  • Be cautious of suspicious emails and links you don’t fully trust.

  • Avoid torrents and shady downloads on devices where you use wallets.

  • Use a hardware wallet for larger amounts. These keep your private keys offline and safe from malware.

  • Keep your operating system and browser up to date, and remove extensions you don’t use.

  • Regularly check wallet activity and revoke unused permissions.

What if your device is infected with Mars Stealer malware?

If you discover you’re a victim, act fast. Disconnect the infected device from the network and check your wallets for suspicious transactions. Create new wallet addresses and move your crypto to them. Ultimately, a full reinstall of your operating system is the most reliable way to get rid of the malware.

Final thoughts

Mars Stealer is a serious threat to anyone using non-custodial wallets and browser extensions. The malware is cheap to get, easy to spread, and hard to detect. Victims can lose all their crypto in no time, often without realizing they’ve been targeted.

The good news: the risk can be significantly reduced by following basic security steps, such as downloading software only from official sources, being wary of phishing, using hardware wallets, and keeping your system updated. For anyone active in crypto: prevention is key. A single infection could cause irreversible damage.

About Finst

Finst is one of the leading cryptocurrency providers in The Netherlands and offers a best-in-class investment platform together with institutional-grade security standards and ultra-low trading fees. Finst is led by the ex-core team of DEGIRO and is authorized as a crypto-asset service provider by the Dutch Authority for the Financial Markets (AFM). Finst offers a full suite of crypto services including trading, custody, fiat on/off ramp, and staking for both retail and institutional investors.

The crypto platform you'll love

We are here to give you the tools, inspiration, and support you need to become a better investor.

Sign up
Trustpilot