Arcane Stealer Via YouTube Videos Steal Data From Network Utilities Including VPN & FileZilla

A sophisticated new malware strain called “Arcane” that specifically targets network utilities, VPN clients, and file transfer applications.

The malware, discovered in late 2024, is being distributed through seemingly innocent YouTube videos that promote game cheats and cracks, putting thousands of users at risk.

The campaign began with YouTube videos advertising game cheats, providing links to password-protected archives. When users extract these archives, they find a deceptive start.bat file that executes a series of harmful operations.

This batch file downloads additional malware while disabling Windows SmartScreen protection to avoid detection.

“What’s intriguing about this malware is how much it collects,” noted researchers who have been tracking the campaign.

“It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla and DynDNS.”

Initially, the campaign distributed a stealer known as VGS (a variant of Phemedrone Trojan), but by November 2024, this was replaced with the more sophisticated Arcane stealer, which should not be confused with the older “Arcane Stealer V” that circulated in 2019.

Arcane is particularly concerning due to its extensive collection capabilities. The malware targets credentials and configuration data from numerous applications, with a special focus on networking tools.

Arcane Stealer Via YouTube Videos

The stealer harvests configuration files, settings, and account information from multiple VPN clients including OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPN.

It also extracts data from network utilities such as ngrok, Playit, Cyberduck, FileZilla, and DynDNS.

Arcane employs sophisticated techniques to steal browser data, including utilizing the Data Protection API (DPAPI) to obtain encryption keys.

It also uses the Xaitax utility to crack browser keys and implements a unique method to extract cookies through a debug port by secretly launching browser instances.

In recent months, the threat actors have evolved their distribution strategy. Rather than directly promoting game cheats, they now advertise a program called “ArcanaLoader” with a graphical user interface that claims to provide popular cracks and cheats.

This loader is promoted via the attackers’ YouTube channels with links that download the ArcanaLoader.

The malicious actors have even established a Discord server where they post news and support information, while also recruiting bloggers to help spread their malware.

“Sadly, the main ArcanaLoader executable contained the aforementioned Arcane stealer,” researchers confirmed.

Based on the language used in Discord conversations and YouTube videos, as well as telemetry data, researchers believe the attackers are primarily targeting Russian-speaking users.

Most victims have been detected in Russia, Belarus, and Kazakhstan.

Security experts advise users to be extremely cautious when downloading supposed game cheats or cracks from YouTube videos, particularly those that require extracting password-protected archives or running batch files.

Arcane’s sophisticated data collection capabilities pose a significant threat to personal and potentially corporate network security.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free