A newly discovered malware campaign is using YouTube videos to distribute Arcane, a sophisticated data-stealing malware. This campaign exploits the popularity of gaming cheats to trick users into downloading harmful software, highlighting the evolving tactics of cybercriminals.
How Arcane Malware Spreads
Hackers use YouTube as a distribution platform by uploading videos that promote game cheats. These videos include links to password-protected archives that, once opened, install malware.
The infection process begins with a batch file that downloads additional malware components via PowerShell. To avoid detection, the script disables Windows SmartScreen by modifying registry keys and adding all drive roots to the SmartScreen filter exceptions.
Once the malware is fully deployed, it executes a cryptocurrency miner alongside Arcane, which then begins extracting sensitive data from the infected system.
What Arcane Steals
Arcane is designed to collect extensive user data, targeting applications like VPN clients, network utilities, and web browsers. According to the SecureList Report, its primary targets include:
- VPN clients: OpenVPN, NordVPN, and ExpressVPN.
- Network utilities: ngrok and FileZilla.
- Web browsers: Chromium and Gecko-based browsers.
The malware uses the Windows Data Protection API (DPAPI) and a special tool called Xaitax to crack browser encryption keys. It also exploits remote debugging features to steal cookies from popular websites, including Gmail and Steam.
ArcanaLoader: The Next Step in the Attack
Following the initial success of Arcane, researchers have identified an updated delivery method known as ArcanaLoader. This loader is advertised through YouTube videos and falsely promises access to game cheats and software cracks.
Once users engage with the loader, they are directed to a Discord server, where attackers provide fake support and updates. Evidence suggests that the campaign primarily targets Russian-speaking users, with most victims located in Russia, Belarus, and Kazakhstan.
Protecting Against the Threat
This campaign demonstrates how cybercriminals continuously adapt to distribute malware through trusted platforms. To avoid falling victim to these attacks, users should:
- Be cautious when downloading software from unofficial sources.
- Avoid clicking on suspicious YouTube links.
- Use strong security software to detect and prevent malware infections.
- Regularly update VPN clients and browsers to patch security vulnerabilities.
The Arcane stealer’s ability to collect vast amounts of sensitive data poses a serious threat, making it essential for users to stay vigilant online.
