New Malware Attack Leverages YouTube Channels and Discord to Harvest Credentials from Computer

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A newly uncovered campaign is exploiting gamers’ enthusiasm for off-beat indie titles to plant credential-stealing malware on machines.

Branded installers for nonexistent games such as “Baruda Quest,” “Warstorm Fire,” and “Dire Talon” are pushed through slick YouTube trailers and Discord download links that imitate legitimate early-access promotions.

Promotional video (Source – Acronis)

The lures contain Electron-based executables weighing 80 MB or more, a size that helps them evade casual inspection while bundling the Node.js runtime needed to execute the attack code.

Once the victim clicks the Discord-hosted file, the installer launches a Nullsoft (NSIS) package that quietly extracts an app.asar archive holding the stealer’s JavaScript payload.

Acronis analysts noted that the operators sometimes forgot to strip the readable source from this archive, giving defenders a rare, unobfuscated view of their tactics and code lineage, which traces back to the Fewer Stealer family.

Inside, researchers identified three active variants—Leet Stealer, its customised fork RMC Stealer, and an apparently independent strain dubbed Sniffer Stealer.

If the malware runs successfully, it can siphon browser passwords, cookies, Discord tokens, crypto-wallet files, and session keys for platforms like Steam and Telegram; victims risk account takeovers, financial loss, and sextortion-style blackmail.

Fake website – www[.]barudaquest[.]com (Source – Acronis)

This shows one spoofed download portal that even reroutes Android and macOS clicks to the legitimate social game Club Cooee while serving Windows users a weaponised .exe, illustrating how convincingly the operators blend real and fake assets to widen their reach.

Infection Mechanism: Sandbox Detection and Silent Browsers

Every sample first verifies that it is not executing inside a security sandbox. Hard-coded blacklists flag Hyper-V, VirtualBox, and low-RAM hosts; matching any item triggers a faux “game error” dialog and terminates the process, a ploy that lets the malware masquerade as a faulty beta build while frustrating automated analysis.

The critical logic looks like this:-

const blacklistedGPUs = [
  'VMware SVGA 3D',
  'VirtualBox Graphics Adapter'
];
exec('wmic path win32_VideoController get name', (err, out) => {
  if (blacklistedGPUs.some(gpu => out. Includes(gpu))) {
    showFakeError(); // abort on virtual hardware
  } else {
    launchStealer();
  }
});

Passing these checks, the malware spawns the victim’s own Chrome-family browser in headless debug mode, pointing it at https://mail.google.com while exposing a remote-debugging port.

Through that port the script extracts fresh cookies and autofill data directly from live memory, sidestepping disk-level encryption and locked files.

Collected artefacts are zipped and uploaded to gofile.io; fallback hosts such as file.io, catbox.moe, and tmpfiles.org ensure exfiltration even if one service is blocked.

A separate thread forwards the resulting download URL to the attacker’s command-and-control server together with harvested Discord tokens, providing immediate, full-session access to victims’ chat histories and social graphs.

By fusing polished social-media marketing with technical tricks like VM-aware execution and browser-debug extraction, the campaign demonstrates how modern commodity stealers are maturing into multi-layered threats that can outsmart both users and automated defenses alike.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now