Celestial Stealer: How a JavaScript Malware-as-a-Service Is Targeting Crypto Wallets

The cryptocurrency ecosystem faces a persistent and evolving threat landscape as malware campaigns become increasingly sophisticated in their targeting of digital asset holders. On December 5, 2024, cybersecurity researchers at Trellix published a detailed analysis of Celestial Stealer, a JavaScript-based infostealer that specifically targets browser-stored credentials and cryptocurrency wallets, adding another weapon to the growing arsenal of malware-as-a-service (MaaS) tools available to cybercriminals.

The Exploit Mechanics

Celestial Stealer operates as a JavaScript-based infostealer packaged within Electron applications, making it platform-agnostic and particularly difficult to detect through traditional antivirus solutions. The malware targets both Chromium-based browsers such as Google Chrome, Brave, and Microsoft Edge, and Gecko-based browsers including Firefox, extracting stored passwords, autofill data, browsing history, cookies, and saved credit card information.

What sets Celestial Stealer apart from run-of-the-mill credential stealers is its injection capability. The malware can inject malicious payloads directly into applications including Steam, Telegram, and critically, cryptocurrency wallets like Atomic and Exodus. With Bitcoin trading at approximately $97,000 on this date and having just crossed the historic $100,000 threshold, the financial incentive for targeting crypto wallets has never been higher.

The infection chain begins with social engineering. Researchers identified distribution vectors including a fake Discord promotion generator tool and an NSFW-themed VRChat room download. A file named VRChatERPSetup.zip contains the payload executable AppSetup.exe, which initiates the infection process. The stealer uses extensive obfuscation and anti-analysis techniques, including refusing to execute on systems with specific usernames and machine names commonly associated with malware analysis environments.

Affected Systems

The scope of Celestial Stealer’s targeting is broad. Any user running Chromium or Gecko-based browsers is vulnerable to credential theft. Cryptocurrency wallet users of Atomic Wallet and Exodus face direct payload injection, where malicious code replaces or augments legitimate wallet functions to capture seed phrases, private keys, and transaction data.

The malware also searches for files with specific names across Desktop, Downloads, Documents, and OneDrive folders, collecting documents that may contain sensitive financial information. It imposes a 50 MB limit on file collection to avoid triggering storage-based detection systems, demonstrating careful engineering designed to fly under the radar.

The Celestial group operates via Telegram, offering weekly, monthly, and lifetime memberships for their malware service. They actively promote their tool as Fully Undetectable (FUD), regularly submitting samples to VirusTotal as proof and updating the stealer to maintain its evasion capabilities against evolving security solutions.

The Mitigation Strategy

Protecting against infostealers like Celestial requires a multi-layered security approach. Users should never store cryptocurrency wallet seed phrases or private keys in any digital format accessible through a browser. Hardware wallets such as Ledger or Trezor remain the gold standard for cryptocurrency storage, keeping private keys completely offline and immune to software-based attacks.

Browser hygiene is essential. Users should regularly audit stored passwords, disable unnecessary autofill features, and consider using a dedicated browser profile or browser instance exclusively for cryptocurrency-related activities. Password managers with zero-knowledge encryption provide significantly better protection than browser-native password storage.

Additionally, never download software from unverified sources, especially tools promising free promotions, game enhancements, or adult content. Verify all downloads through official channels and maintain updated antivirus software that includes behavioral detection capabilities.

Lessons Learned

The emergence of Celestial Stealer underscores several critical trends in the cybersecurity landscape. The malware-as-a-service model has dramatically lowered the barrier to entry for cybercrime, allowing individuals with minimal technical skills to deploy sophisticated attacks. The Telegram-based distribution model provides a frictionless marketplace where threat actors can purchase and deploy tools within minutes.

The targeting of cryptocurrency wallets specifically reflects the maturation of cybercrime as an industry. Attackers are no longer pursuing generic credential theft but are building specialized tools optimized for the high-value cryptocurrency sector. With Bitcoin surpassing $100,000 and Ethereum trading above $3,700, a single compromised wallet can yield life-changing sums for attackers.

User Action Required

If you suspect your system may have been compromised, take immediate action. Move all cryptocurrency funds to a fresh hardware wallet with a newly generated seed phrase. Change all passwords stored in your browser, enable two-factor authentication on every account, and run a full system scan with a reputable antivirus solution. Monitor your exchange accounts and wallet transaction histories for any unauthorized activity.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions regarding your cryptocurrency holdings.