A newly uncovered cyberattack campaign is exploiting the enthusiasm of gamers for unique indie titles to distribute credential-stealing malware. Cybercriminals are promoting fictitious games such as Baruda Quest, Warstorm Fire, and Dire Talon through polished YouTube trailers and Discord download links that mimic legitimate early-access promotions.
These deceptive promotions lead users to download Electron-based executables exceeding 80 MB in size. The substantial file size helps the malware evade casual scrutiny while bundling the Node.js runtime necessary to execute the malicious code.
Upon clicking the Discord-hosted file, the installer initiates a Nullsoft Scriptable Install System (NSIS) package that discreetly extracts an `app.asar` archive containing the stealer’s JavaScript payload. Analysts from Acronis have observed that, in some instances, the operators neglected to remove readable source code from this archive, providing defenders with a rare, unobfuscated view of their tactics and code lineage, which traces back to the Fewer Stealer family.
Within this campaign, researchers have identified three active variants of the malware: Leet Stealer, its customized fork RMC Stealer, and an apparently independent strain dubbed Sniffer Stealer.
If the malware executes successfully, it can siphon browser passwords, cookies, Discord tokens, cryptocurrency wallet files, and session keys for platforms like Steam and Telegram. Victims face risks such as account takeovers, financial loss, and potential blackmail.
One example of the deceptive tactics employed is a spoofed download portal that redirects Android and macOS users to the legitimate social game Club Cooee, while serving Windows users a weaponized `.exe` file. This illustrates how convincingly the operators blend real and fake assets to broaden their reach.
Infection Mechanism: Sandbox Detection and Silent Browsers
Each malware sample first verifies that it is not executing within a security sandbox. Hard-coded blacklists flag virtual environments such as Hyper-V and VirtualBox, as well as low-RAM hosts. If any of these conditions are met, the malware displays a fake game error dialog and terminates the process, allowing it to masquerade as a faulty beta build while frustrating automated analysis.
The critical logic for this check involves executing a command to retrieve the name of the video controller and comparing it against a list of blacklisted GPUs. If a match is found, the malware triggers a fake error and aborts execution; otherwise, it proceeds to launch the stealer.
Once these checks are passed, the malware spawns the victim’s own Chrome-family browser in headless debug mode, directing it to `https://mail.google.com` while exposing a remote-debugging port. Through this port, the script extracts fresh cookies and autofill data directly from live memory, bypassing disk-level encryption and locked files.
The collected artifacts are compressed and uploaded to `gofile.io`. Fallback hosts such as `file.io`, `catbox.moe`, and `tmpfiles.org` ensure data exfiltration even if one service is blocked. A separate thread forwards the resulting download URL to the attacker’s command-and-control server, along with harvested Discord tokens, providing immediate, full-session access to victims’ chat histories and social graphs.
By combining polished social-media marketing with technical tactics like virtual machine-aware execution and browser-debug extraction, this campaign demonstrates how modern commodity stealers are evolving into multi-layered threats capable of outsmarting both users and automated defenses.
