A newly unearthed malware, dubbed Arcane, is wreaking havoc by siphoning off sensitive user data, including credentials from VPNs, messaging applications, gaming platforms, and vital information stored in web browsers.

Cybersecurity firm Kaspersky has confirmed that this Arcane malware does not share any code or links with the longstanding Arcane Stealer V, which has been a persistent threat in the dark web ecosystem for several years. The malicious campaign associated with Arcane began in November 2024 and has evolved through various modifications, including changes to its primary payload.

Interestingly, all communications from the Arcane operators are in Russian, and Kaspersky's findings indicate that the majority of infections are reported from Russia, Belarus, and Kazakhstan. This is particularly striking given that many Russian threat actors typically avoid targeting users within their own country or neighboring CIS nations to circumvent potential conflicts with local law enforcement.

How Arcane Works: The Infection Chain Revealed

The distribution of Arcane Stealer is cleverly disguised within YouTube videos that promote game cheats and hacks, luring unsuspecting users into clicking links to download password-protected archives. These archives contain a heavily obfuscated 'start.bat' script that fetches another malicious password-protected archive packed with executable files.

Once downloaded, these malicious files can manipulate Windows Defender's SmartScreen filter by adding exclusions for all drive root folders or disabling the feature entirely through Windows Registry edits. Prior to deploying Arcane, the attackers used a different infostealer malware family called VGS, which is a rebranded version of the Phemedrone trojan, before making the switch in November 2024.

Kaspersky has also uncovered a recent shift in distribution tactics, with a fake software downloader named ArcanaLoader emerging, which is promoted as a source for popular game cheats and hacks. This tool has been aggressively marketed on YouTube and Discord, with operators inviting content creators to endorse it for a fee.

A Data Heist of Epic Proportions

Kaspersky notes that Arcane's capacity for extensive data theft sets it apart in the crowded infostealer landscape. The malware begins by profiling the infected system, extracting critical hardware and software information, such as the OS version, CPU and GPU details, and installed antivirus solutions.

The current iteration of Arcane specifically targets sensitive information from a wide range of applications, including:

- **VPN clients**: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, ExpressVPN

- **Networking tools**: ngrok, Playit, Cyberduck, FileZilla, DynDNS

- **Messaging platforms**: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, Viber

- **Email applications**: Outlook

- **Gaming platforms**: Riot Client, Epic, Steam, Ubisoft Connect (formerly Uplay), Roblox, Battle.net, various Minecraft clients

- **Cryptocurrency wallets**: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, Coinomi

- **Web browsers**: Captures saved logins, passwords, and cookies from services such as Gmail, Google Drive, Google Photos, Steam, YouTube, Twitter, and Roblox in Chromium-based browsers.

Beyond this, Arcane can also take screenshots, potentially exposing sensitive activities happening on the infected computer, along with the capability to retrieve saved Wi-Fi passwords.

While the malware's current focus appears to be specific, there’s a looming threat that its operators may broaden their targeting to encompass additional countries or themes.

The Devastating Aftermath of an Infostealer Infection

Infection by an infostealer like Arcane can lead to severe consequences including financial theft, extortion, and a heightened risk of subsequent attacks. The recuperation process demands immense effort as users need to systematically change passwords across multiple platforms to mitigate potential breaches.

To safeguard against this growing threat, it is imperative for users to remain vigilant regarding the dangers associated with downloading unsigned or pirated software and cheat tools. The risks involved are substantial, making it essential to prioritize security over temptation. Stay cautious, stay safe!