A new malware campaign has been uncovered, involving the distribution of the Arcane stealer through YouTube videos promoting game cheats.
This campaign, which began before the emergence of Arcane, initially used a different stealer known as VGS, a variant of the Phemedrone Trojan.
However, by the end of 2024, Arcane had replaced VGS, marking a significant shift in the tactics used by cybercriminals to spread malware.
Distribution and Functionality
The Arcane stealer is distributed via YouTube videos that link to password-protected archives.
Once unpacked, these archives contain a batch file that downloads additional malware using PowerShell, while also disabling Windows SmartScreen to evade detection.
The stealer itself is highly versatile, capable of extracting credentials from a wide range of applications, including VPN clients like OpenVPN, NordVPN, and ExpressVPN, as well as browser data from Chromium and Gecko-based browsers.
It also targets network utilities such as ngrok and FileZilla, and even collects system information and screenshots of the infected device.
Arcane’s ability to steal browser credentials is particularly noteworthy.
According to the SecureList Report, it uses the Data Protection API (DPAPI) to obtain encryption keys for sensitive data stored by browsers.
Additionally, it employs the Xaitax utility to crack browser keys, allowing it to access encrypted data.
For Chromium-based browsers, Arcane can also extract cookies by secretly launching a browser instance with remote debugging enabled, then connecting to the debug port to request cookies from specific websites.
Evolution and Impact
Following the discovery of Arcane, a new loader called ArcanaLoader emerged, which is advertised on YouTube channels and linked to a Discord server.
This loader promises to download popular cracks and cheats but actually delivers malware, including the Arcane stealer.
The campaign primarily targets Russian-speaking users, with most infections reported in Russia, Belarus, and Kazakhstan.
The flexibility and adaptability of these cybercriminals highlight the ongoing threat posed by malware distributed through seemingly innocuous channels like YouTube videos promoting game cheats.
To mitigate these risks, users are advised to be cautious of suspicious software promotions and to use robust security software capable of detecting evolving malware threats.
The Arcane stealer’s ability to collect a broad range of sensitive data underscores the importance of vigilance in the face of increasingly sophisticated cyber threats.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
