Security experts advise users to be extremely cautious when downloading supposed game cheats or cracks from YouTube videos, particularly those that require extracting password-protected archives or running batch files. The malware, discovered in late 2024, is being distributed through seemingly innocent YouTube videos that promote game cheats and cracks, putting thousands of users at risk. Initially, the campaign distributed a stealer known as VGS (a variant of Phemedrone Trojan), but by November 2024, this was replaced with the more sophisticated Arcane stealer, which should not be confused with the older “Arcane Stealer V” that circulated in 2019. A sophisticated new malware strain called “Arcane” that specifically targets network utilities, VPN clients, and file transfer applications. Based on the language used in Discord conversations and YouTube videos, as well as telemetry data, researchers believe the attackers are primarily targeting Russian-speaking users. The campaign began with YouTube videos advertising game cheats, providing links to password-protected archives. Arcane employs sophisticated techniques to steal browser data, including utilizing the Data Protection API (DPAPI) to obtain encryption keys. Arcane’s sophisticated data collection capabilities pose a significant threat to personal and potentially corporate network security. The stealer harvests configuration files, settings, and account information from multiple VPN clients including OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPN. Rather than directly promoting game cheats, they now advertise a program called “ArcanaLoader” with a graphical user interface that claims to provide popular cracks and cheats. The malicious actors have even established a Discord server where they post news and support information, while also recruiting bloggers to help spread their malware. “What’s intriguing about this malware is how much it collects,” noted researchers who have been tracking the campaign. “Sadly, the main ArcanaLoader executable contained the aforementioned Arcane stealer,” researchers confirmed. The malware targets credentials and configuration data from numerous applications, with a special focus on networking tools. Cybersecurity experts have uncovered a sophisticated campaign targeting enterprise web applications through the abuse of legitimate penetration testing tools.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 13:10:21 +0000