This shows one spoofed download portal that even reroutes Android and macOS clicks to the legitimate social game Club Cooee while serving Windows users a weaponised .exe, illustrating how convincingly the operators blend real and fake assets to widen their reach. Hard-coded blacklists flag Hyper-V, VirtualBox, and low-RAM hosts; matching any item triggers a faux “game error” dialog and terminates the process, a ploy that lets the malware masquerade as a faulty beta build while frustrating automated analysis. If the malware runs successfully, it can siphon browser passwords, cookies, Discord tokens, crypto-wallet files, and session keys for platforms like Steam and Telegram; victims risk account takeovers, financial loss, and sextortion-style blackmail. Branded installers for nonexistent games such as “Baruda Quest,” “Warstorm Fire,” and “Dire Talon” are pushed through slick YouTube trailers and Discord download links that imitate legitimate early-access promotions. Acronis analysts noted that the operators sometimes forgot to strip the readable source from this archive, giving defenders a rare, unobfuscated view of their tactics and code lineage, which traces back to the Fewer Stealer family. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A separate thread forwards the resulting download URL to the attacker’s command-and-control server together with harvested Discord tokens, providing immediate, full-session access to victims’ chat histories and social graphs. By fusing polished social-media marketing with technical tricks like VM-aware execution and browser-debug extraction, the campaign demonstrates how modern commodity stealers are maturing into multi-layered threats that can outsmart both users and automated defenses alike. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Once the victim clicks the Discord-hosted file, the installer launches a Nullsoft (NSIS) package that quietly extracts an app.asar archive holding the stealer’s JavaScript payload. const blacklistedGPUs = [ 'VMware SVGA 3D', 'VirtualBox Graphics Adapter' ]; exec('wmic path win32_VideoController get name', (err, out) => { if (blacklistedGPUs.some(gpu => out. The lures contain Electron-based executables weighing 80 MB or more, a size that helps them evade casual inspection while bundling the Node.js runtime needed to execute the attack code. Passing these checks, the malware spawns the victim’s own Chrome-family browser in headless debug mode, pointing it at while exposing a remote-debugging port. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Through that port the script extracts fresh cookies and autofill data directly from live memory, sidestepping disk-level encryption and locked files.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 08:20:15 +0000