A newly uncovered marketing campaign is exploiting avid gamers’ enthusiasm for off-beat indie titles to plant credential-stealing malware on machines.
Branded installers for nonexistent video games corresponding to “Baruda Quest,” “Warstorm Fireplace,” and “Dire Talon” are pushed via slick YouTube trailers and Discord obtain hyperlinks that imitate official early-access promotions.
Promotional video (Supply – Acronis)
The lures include Electron-based executables weighing 80 MB or extra, a measurement that helps them evade informal inspection whereas bundling the Node.js runtime wanted to execute the assault code.
As soon as the sufferer clicks the Discord-hosted file, the installer launches a Nullsoft (NSIS) bundle that quietly extracts an app.asar archive holding the stealer’s JavaScript payload.
Acronis analysts famous that the operators typically forgot to strip the readable supply from this archive, giving defenders a uncommon, unobfuscated view of their techniques and code lineage, which traces again to the Fewer Stealer household.
Inside, researchers recognized three lively variants—Leet Stealer, its customised fork RMC Stealer, and an apparently impartial pressure dubbed Sniffer Stealer.
If the malware runs efficiently, it might probably siphon browser passwords, cookies, Discord tokens, crypto-wallet recordsdata, and session keys for platforms like Steam and Telegram; victims threat account takeovers, monetary loss, and sextortion-style blackmail.
Faux web site – www[.]barudaquest[.]com (Supply – Acronis)
This exhibits one spoofed obtain portal that even reroutes Android and macOS clicks to the official social recreation Membership Cooee whereas serving Home windows customers a weaponised .exe, illustrating how convincingly the operators mix actual and faux property to widen their attain.
An infection Mechanism: Sandbox Detection and Silent Browsers
Each pattern first verifies that it isn’t executing inside a safety sandbox. Arduous-coded blacklists flag Hyper-V, VirtualBox, and low-RAM hosts; matching any merchandise triggers a fake “recreation error” dialog and terminates the method, a ploy that lets the malware masquerade as a defective beta construct whereas irritating automated evaluation.
The essential logic appears to be like like this:-
const blacklistedGPUs = [
‘VMware SVGA 3D’,
‘VirtualBox Graphics Adapter’
];
exec(‘wmic path win32_VideoController get title’, (err, out) => {
if (blacklistedGPUs.some(gpu => out. Consists of(gpu))) {
showFakeError(); // abort on digital {hardware}
} else {
launchStealer();
}
});
Passing these checks, the malware spawns the sufferer’s personal Chrome-family browser in headless debug mode, pointing it at whereas exposing a remote-debugging port.
By that port the script extracts contemporary cookies and autofill knowledge straight from dwell reminiscence, sidestepping disk-level encryption and locked recordsdata.
Collected artefacts are zipped and uploaded to gofile.io; fallback hosts corresponding to file.io, catbox.moe, and tmpfiles.org guarantee exfiltration even when one service is blocked.
A separate thread forwards the ensuing obtain URL to the attacker’s command-and-control server along with harvested Discord tokens, offering rapid, full-session entry to victims’ chat histories and social graphs.
By fusing polished social-media advertising and marketing with technical methods like VM-aware execution and browser-debug extraction, the marketing campaign demonstrates how fashionable commodity stealers are maturing into multi-layered threats that may outsmart each customers and automatic defenses alike.
Expertise sooner, extra correct phishing detection and enhanced safety for your corporation with real-time sandbox analysis-> Strive ANY.RUN now
