How to eliminate Needle stealer

What kind of malware is Needle Stealer?

Needle Stealer is a modular information stealer written in Golang that harvests saved browser credentials, cryptocurrency wallet files, messaging app data, and other sensitive files from infected computers. It also installs a companion malicious browser extension that gives attackers real-time control over the victim's browser, including the ability to redirect pages, intercept and silently replace file downloads, and inject scripts into visited websites.

According to research by Malwarebytes, Needle Stealer has been distributed through a site called TradingClaw, which posed as a free AI-powered trading tool for TradingView users. Victims who downloaded what they believed was a legitimate trading application unknowingly triggered a multi-stage infection chain that quietly planted the malware in the background.

Needle Stealer overview

Needle Stealer is delivered as a ZIP archive downloaded from the fake TradingClaw website. The archive contains a loader that exploits DLL hijacking via a file named iviewers.dll to load a second-stage component. That second stage then uses process hollowing to inject the stealer into RegAsm.exe, a legitimate Windows binary. Running inside a trusted system process helps the malware blend in and avoid triggering security alerts.

Once active, the stealer connects to the attacker's Command and Control (C2) server and begins collecting data. It targets saved passwords, cookies, and browsing history from web browsers, along with data stored by Telegram and FTP clients. It also scans for text files, harvests cryptocurrency wallet data, and monitors the clipboard.

Malicious browser extension

The most distinctive part of Needle Stealer is the malicious browser extension it installs on the victim's machine. The extension is dropped to a randomly named folder under %LOCALAPPDATA%\Packages\Extensions and communicates with the attacker's server using a configuration file that stores an API key and C2 address details.

Through this extension, attackers can apply redirect rules to send the victim to attacker-controlled pages, intercept legitimate downloads and replace them with malicious files, inject code into pages the victim is currently viewing, and push fake browser notifications. The extension can also collect the victim's full browsing history. It includes a self-destruct function, allowing the attacker to remove it remotely on command.

Targeted cryptocurrency applications

Needle Stealer specifically seeks out cryptocurrency assets. On the desktop side, it targets data from Ledger, Trezor, and Exodus wallets. It also goes after browser wallet extensions, particularly MetaMask and Coinbase Wallet, attempting to extract seed phrases that would give the attacker permanent, irrecoverable access to the victim's funds.

Conclusion

Needle Stealer is a serious threat to financial accounts, online sessions, and stored credentials. By pairing a traditional stealer with a persistent malicious browser extension, it gives attackers both a one-time harvest of stored data and ongoing, real-time influence over the victim's browser - allowing them to redirect pages, replace downloads, and continue harvesting data well after the initial infection.

Victims can face identity theft, loss of cryptocurrency, account takeover, and exposure to further malware delivered through the attacker-controlled extension. The malware should be removed immediately, and all accounts and cryptocurrency funds should be secured from a clean device.

More examples of stealers are NWHStealer, OmniStealer, and Storm.

How did Needle Stealer infiltrate my computer?

Malwarebytes researchers documented Needle Stealer being distributed through a site called TradingClaw (tradingclaw[.]pro), which presented itself as a free AI trading tool for TradingView users. The site offered a "Download for Windows" button and used selective redirects - regular visitors were served the malicious installer, while search engine crawlers were redirected to an unrelated decoy page. Victims who ran the downloaded application unknowingly triggered a chain that used DLL hijacking and process hollowing to silently inject the stealer into a legitimate Windows process.

Needle Stealer is also delivered as a follow-on payload by other malware loaders, including Amadey, GCleaner, and CountLoader/DeepLoad, meaning victims do not need to have visited the TradingClaw site to become infected. More broadly, malware of this kind reaches victims through phishing emails with malicious attachments, fake software download pages, malvertising, pirated content, and software cracks from untrustworthy sources.

How to avoid installation of malware?

Be cautious about software downloaded from unfamiliar websites, especially tools promoted through trading forums, social media, or YouTube videos. Only download applications from official developer websites or verified storefronts. Avoid pirated software, key generators, and activation cracks, as these are a common vehicle for hidden malware. Keep your operating system and all installed applications updated, since attackers regularly exploit known vulnerabilities in outdated software.

Do not click on links or open attachments in unexpected emails or messages, even when the sender looks familiar. Be wary of browser notifications from sites you do not fully trust, and use a reputable security application that provides real-time protection. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Fake trading website (TradingClaw) used to distribute Needle Stealer (source: malwarebytes.com):

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is Needle Stealer?
• STEP 1. Manual removal of Needle Stealer malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with Needle Stealer malware, should I format my storage device to get rid of it?

Formatting will remove Needle Stealer, but it also erases every file on the drive. Running a reputable security tool like Combo Cleaner first is the safer choice in most cases.

What are the biggest issues that Needle Stealer malware can cause?

Needle Stealer can steal saved passwords, session cookies, and cryptocurrency wallet files, while its malicious browser extension gives attackers the ability to redirect pages and replace downloads in real time. This can result in account takeover, identity theft, and irreversible loss of cryptocurrency funds.

What is the purpose of Needle Stealer malware?

The purpose of Needle Stealer is to steal sensitive data from infected computers, including browser credentials, cryptocurrency wallet files, and messaging app data, while also giving attackers persistent, real-time browser control through a malicious extension it installs.

How did Needle Stealer malware infiltrate my computer?

Needle Stealer has been spread through TradingClaw, a fake AI trading website that offered a malicious Windows installer. It can also arrive as a follow-on payload dropped by other malware loaders, including Amadey, GCleaner, and CountLoader/DeepLoad.

Will Combo Cleaner protect me from malware?

Yes. Combo Cleaner can detect and remove most known malware. Because threats like Needle Stealer may place components in less obvious locations, running a full system scan gives the best chance of a complete cleanup.