A newly uncovered campaign is exploiting gamers\u2019 enthusiasm for off-beat indie titles to plant credential-stealing malware on machines.<\/p>\n
Branded installers for nonexistent games such as \u201cBaruda Quest,\u201d \u201cWarstorm Fire,\u201d and \u201cDire Talon\u201d are pushed through slick YouTube trailers and Discord download links that imitate legitimate early-access promotions.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj50IFYpxKQkgKu9BXKeSFCsYyvRD-SBQ6cy7b0eFgSgpDDTK2cEcsvO_8m2ldwB9RQIo_-mlnb47orgujx8fKXYby5ZbWGOgp-vAV_uCpQtiLyCKBtoMYiRrY7l_vGv8dUSte2yfyI1rpjgY3yy2N5R1e0SJZwL9FG7XxtTX0Qgabz3LbLswbKrYUL3mU\/s16000\/Promotional%2520video%2520%28Source%2520-%2520Acronis%29.webp?ssl=1\")
The lures contain Electron-based executables weighing 80 MB or more, a size that helps them evade casual inspection while bundling the Node.js runtime needed to execute the attack code.<\/p>\n
Once the victim clicks the Discord-hosted file, the installer launches a Nullsoft (NSIS) package that quietly extracts an Acronis analysts noted<\/a> that the operators sometimes forgot to strip the readable source from this archive, giving defenders a rare, unobfuscated view of their tactics and code lineage, which traces back to the Fewer Stealer family.<\/p>\n Inside, researchers identified three active variants\u2014Leet Stealer, its customised fork RMC Stealer, and an apparently independent strain dubbed Sniffer Stealer.<\/p>\n If the malware runs successfully, it can siphon browser passwords, cookies, Discord tokens, crypto-wallet files, and session keys for platforms like Steam and Telegram; victims risk account takeovers, financial loss, and sextortion-style blackmail.<\/p>\n This shows one spoofed download portal that even reroutes Android and macOS clicks to the legitimate social game<\/a> Club Cooee while serving Windows users a weaponised Every sample first verifies that it is not executing inside a security sandbox<\/a>. Hard-coded blacklists flag Hyper-V, VirtualBox, and low-RAM hosts; matching any item triggers a faux \u201cgame error\u201d dialog and terminates the process, a ploy that lets the malware masquerade as a faulty beta build while frustrating automated analysis.<\/p>\n The critical logic looks like this:-<\/p>\n Passing these checks, the malware spawns the victim\u2019s own Chrome-family browser in headless debug mode, pointing it at Through that port the script extracts fresh cookies and autofill data directly from live memory, sidestepping disk-level encryption and locked files.<\/p>\n Collected artefacts are zipped and uploaded to A separate thread forwards the resulting download URL to the attacker\u2019s command-and-control server together with harvested Discord<\/a> tokens, providing immediate, full-session access to victims\u2019 chat histories and social graphs.<\/p>\n By fusing polished social-media marketing with technical tricks like VM-aware execution and browser-debug extraction, the campaign demonstrates how modern commodity stealers are maturing into multi-layered threats that can outsmart both users and automated defenses alike.<\/p>\n Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis->\u00a0Try ANY.RUN now<\/a><\/strong><\/p>\n The post New Malware Attack Leverages YouTube Channels and Discord to Harvest Credentials from Computer<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\napp.asar<\/code> archive holding the stealer\u2019s JavaScript<\/a> payload.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhfDaB7AJNz0AnYqE8l1n5cPpmjewp-ZN4YXILYKtUSu6GMHxp4tYPFpU2a1rN90denYoZe2IeyPivauDgqyWxoYGWULzg0Kh3m3CbyLyEGBBmknQV3ElWg2I_3AfpA5RUW_tOi44ujnDWJ26jwMleWvIsGy-iyogYrbh5PKS9FOyCj-btR1qtVddtPPgk\/s16000\/Fake%2520website%2520-%2520www%255B.%255Dbarudaquest%255B.%255Dcom%2520%28Source%2520-%2520Acronis%29.webp?ssl=1\")
.exe<\/code>, illustrating how convincingly the operators blend real and fake assets to widen their reach.<\/p>\nInfection Mechanism: Sandbox Detection and Silent Browsers<\/strong><\/h2>\n
const blacklistedGPUs = [\n 'VMware SVGA 3D',\n 'VirtualBox Graphics Adapter'\n];\nexec('wmic path win32_VideoController get name', (err, out) => {\n if (blacklistedGPUs.some(gpu => out. Includes(gpu))) {\n showFakeError(); \/\/ abort on virtual hardware\n } else {\n launchStealer();\n }\n});<\/code><\/pre>\nhttps:\/\/mail.google.com<\/code> while exposing a remote-debugging port.<\/p>\ngofile.io<\/code>; fallback hosts such as file.io<\/code>, catbox.moe<\/code>, and tmpfiles.org<\/code> ensure exfiltration even if one service is blocked.<\/p>\n