A new two-stage malware named LeakyInjector and LeakyStealer has been identified, targeting cryptocurrency wallets and browser history. LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer into explorer.exe. LeakyStealer implements a polymorphic engine to modify its memory area at runtime. Both stages were signed with valid Extended Validation certificates. The malware performs reconnaissance on infected machines, targeting multiple crypto wallets, including browser extensions, and searches for browser history files from various browsers. It establishes persistence through registry manipulation and beacons to the C2 server at regular intervals. The malware exfiltrates sensitive data and can execute additional commands received from the C2 server.