A new information-stealing malware, dubbed Arcane, is actively targeting YouTube and Discord users, leveraging the popularity of game cheats and cracks to spread its malicious payload. This sophisticated malware, unrelated to the previously known “Arcane Stealer V,” is designed to steal a wide range of sensitive user data.
Arcane Infostealer’s Data Theft Capabilities
The Arcane infostealer’s capabilities are extensive, making it a significant threat. According to Kaspersky, the malware profiles infected systems, collecting hardware and software details, including OS version, CPU and GPU specifications, installed antivirus software, and browser information. Beyond system profiling, Arcane targets account data, settings, and configuration files from a broad spectrum of applications:
- VPN Clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN
- Network Tools: ngrok, Playit, Cyberduck, FileZilla, DynDNS
- Messengers: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber
- Email Clients: Outlook
- Gaming Clients: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, various Minecraft clients
- Cryptocurrency Wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi
- Web Browsers: Saved logins, passwords, and cookies (Gmail, Google Drive, Google Photos, Steam, YouTube, Twitter, Roblox) from Chromium-based browsers.
Furthermore, Arcane captures screenshots and retrieves saved Wi-Fi passwords, significantly expanding its potential for data breaches.
Arcane Infostealer’s Infection Chain and Distribution
The Arcane infostealer’s distribution method is deceptively simple, yet highly effective. The campaign utilizes YouTube videos promoting game cheats and cracks. Users are lured into downloading password-protected archives containing a heavily obfuscated ‘start.bat’ script. This script then fetches a second password-protected archive with the malicious executables. The malware further enhances its stealth by adding exclusions to Windows Defender’s SmartScreen filter or disabling it entirely through registry modifications.
Initially, the attackers used the VGS malware family (a rebranded Phemedrone trojan), but transitioned to Arcane in November 2024. Recent changes include the use of a fake software downloader, “ArcanaLoader,” heavily promoted on YouTube and Discord. Kaspersky’s research even uncovered attempts by the operators to recruit YouTube creators to promote ArcanaLoader on their channels for a fee.
“Attempting to recruit YouTube creators on Discord,” notes Kaspersky’s report,.
Geographic Targeting and Implications
The operators of the Arcane infostealer primarily communicate in Russian, and Kaspersky’s telemetry indicates most infections are concentrated in Russia, Belarus, and Kazakhstan. This is unusual, as Russian threat actors often avoid targeting their own citizens to evade detection by local authorities. However, the potential for expansion to other regions remains a significant concern.
The consequences of Arcane infection are severe, ranging from financial fraud and extortion to further attacks. Cleaning up after such an infection requires extensive effort, including password changes across all affected accounts.
Mitigation and Prevention
The Arcane infostealer represents a significant threat to individuals and organizations alike. The use of game cheats and cracks as vectors underscores the importance of caution when downloading unsigned software. Avoiding such downloads is crucial to mitigating the risk of infection.
