Malware campaign exploiting YouTube and Discord to steal credentials

A recently discovered malware campaign is targeting gamers by promoting fake indie games to install credential-stealing malware on their computers. The attackers use branded installers for non-existent titles like “Baruda Quest,” “Warstorm Fire,” and “Dire Talon,” which are advertised through polished YouTube trailers and Discord download links that mimic legitimate early-access promotions.

Malware campaign exploiting YouTube and Discord to steal credentialsMalware campaign exploiting YouTube and Discord to steal credentials

These lures contain Electron-based executables over 80 MB in size, allowing them to evade casual scrutiny while bundling the necessary Node.js runtime to execute the malicious code. When victims click on the Discord-hosted file, the installer runs a Nullsoft (NSIS) package that extracts an app.asar archive containing the malware's JavaScript payload.

Malware campaign exploiting YouTube and Discord to steal credentialsMalware campaign exploiting YouTube and Discord to steal credentials

Acronis analysts found that the operators occasionally left the readable source code intact, providing insights into their tactics and revealing connections to the Fewer Stealer family. Researchers identified three active variants: Leet Stealer, its customized fork RMC Stealer, and an independent strain called Sniffer Stealer.