22nd March 2025, Kathmandu
Arcane stealer malware uses YouTube game cheat videos to infect users, stealing browser data, system info, and app credentials. Stay informed and protected.
Arcane Stealer Malware
Discovered by Kaspersky, the malware is part of a sophisticated campaign that has evolved over time, leveraging deceptive tactics to infect victims and steal sensitive data.
How the Attack Works
The campaign begins with YouTube videos offering game cheats, accompanied by links to password-protected archives. Once downloaded and unpacked, the archive contains a start.bat batch file that uses PowerShell to retrieve another archive. This second archive includes two executables:
A cryptocurrency miner.
A stealer malware (initially a variant of Phemedrone Stealer, rebranded as VGS, and later replaced by Arcane).
The batch file also disables Windows SmartScreen protections and adds exceptions for drive root folders, ensuring the malware operates undetected.
Arcane Stealer: A Data-Hungry Threat
Arcane is a highly capable stealer malware designed to harvest a wide range of sensitive information, including:
Browser Data: Logins, passwords, credit card details, cookies, and tokens from Chromium- and Gecko-based browsers.
System Information: OS version, activation keys, hardware details, and installed software.
Application Data: Credentials and configuration files from VPN clients, network utilities, messaging apps, email clients, gaming platforms, and crypto-wallets.
Additional Data: Screenshots, running processes, saved Wi-Fi networks, and their passwords.
Arcane employs advanced techniques to extract encrypted browser data, including:
Using the Data Protection API (DPAPI) to decrypt sensitive information.
Leveraging the Xaitax utility to crack browser encryption keys.
Exploiting Chromium-based browsers through a debug port to extract cookies.
Evolution of the Campaign
The campaign has evolved significantly since its inception:
Initially, the attackers distributed VGS, a rebranded version of Phemedrone Stealer.
By November 2024, VGS was replaced by Arcane, a more sophisticated stealer with regular updates and enhanced capabilities.
Recently, the threat actors introduced ArcanaLoader, a loader disguised as a tool for downloading game cheats and cracks. Instead, it delivers the Arcane stealer to victims.
Primary Targets
The campaign primarily targets users in Russia, Belarus, and Kazakhstan, with YouTube serving as the main distribution channel. The attackers’ ability to adapt their tools and methods highlights their flexibility and persistence.
Why This Matters
Arcane’s extensive data collection capabilities and its distribution through popular platforms like YouTube make it a significant threat. The malware’s ability to evade detection and target a wide range of applications underscores the need for heightened vigilance among users and organizations.
Kaspersky’s Insights
“What’s interesting about this campaign is how flexible cybercriminals are, always updating their tools and distribution methods,” Kaspersky noted. “Arcane is fascinating because of the sheer volume of data it collects and the innovative techniques it uses to extract information.”
How to Stay Protected
Avoid downloading files from untrusted sources, especially links shared in YouTube videos.
Keep software and antivirus programs up to date.
Enable and maintain Windows SmartScreen and other security features.
Regularly monitor for unusual system activity or unauthorized changes.
For more: Arcane Stealer Malware