Arcane infostealer uses game cheats to infect targets

The Arcane infostealer is a newly discovered malware that can harvest a wide range of user information.

Reports revealed that the new malicious payload could steal VPN account credentials, gaming clients, messaging apps, and information stored in web browsers. Moreover, the malware has no links or code similarity to Arcane Stealer V, which has been circulating on the dark web for years.

Its campaign allegedly started in November last year and has undergone various upgrades, including primary payload substitution. All chats and public posts by its operators are in Russian, and some researchers indicate that most of its infections occur in Russia, Belarus, and Kazakhstan.

 

The Arcane infostealer malware uses YouTube videos and offers game cheats to start its infection chain.

 

The Arcane infostealer operators distribute the malware through YouTube videos offering game hacks and cracks. This tactic lures viewers into clicking a link to download a password-protected archive.

In addition, these files included a deeply obfuscated’start.bat’ script that downloaded a second password-protected bundle containing dangerous executables. The downloadable files add an exclusion to Windows Defender’s SmartScreen filter for all disk root folders or disable it via Windows Registry adjustments.

Previously, the attackers employed another stealer software known as VGS, a rebranded variant of the Phemedrone trojan, but they switched to Arcane in November 2024.

The researchers also discovered new alterations in the distribution strategy, including using ArcanaLoader. This infection strategy uses a bogus software downloader purportedly used for popular game cracks and cheats.

Furthermore, ArcanaLoader has received extensive promotion on YouTube and Discord, with the owners even requesting content creators to promote it on their blogs/videos for a fee.

Arcane’s extensive data theft sets it apart in the crowded infostealer industry. One of its unique traits is that it profiles the infected machine by obtaining hardware and software information such as the operating system version, CPU and GPU specifications, installed antivirus, and browsers.

The current version of the malware targets account data, settings, and configuration files in the apps related to VPN clients, network tools, messaging apps, email clients, gaming clients, cryptocurrency wallets, and web browsers.

Arcane can also take screenshots, revealing sensitive information about what a user is doing on their computer and collect wireless network credentials.

Although Arcane currently has specialised targeting for now, its operators may soon broaden it to include more countries or subjects.