Acronis Threat Research Unit (TRU) has uncovered an alarming cybercrime campaign exploiting the popularity of Discord and YouTube to distribute powerful infostealing malware disguised as upcoming indie games.
The operation involves a family of advanced malware, including Leet Stealer, its modified variant RMC Stealer, and the independently developed Sniffer Stealer, which collectively threaten gamers with account theft, financial loss, and privacy breaches.
Social Engineering Masquerade: Games as Bait
Attackers have weaponized social engineering, creating fraudulent websites and fake YouTube channels to promote non-existent games such as “Baruda Quest,” “Warstorm Fire,” and “Dire Talon.”
These titles mimic real titles or anticipated Steam releases, leveraging gaming hype and stolen branding assets to appear credible.
Distribution occurs primarily through Discord server links, where victims are encouraged to download so-called “beta installers.”
These channels are supplemented with polished promotional videos and customized web pages, many of which are in Portuguese, suggesting a Brazil-based origin, although data shows expanding infections in the U.S. as well.
TRU investigators used urlscan.io to capture evidence of these malicious sites, as many were offline by the time of analysis, highlighting the campaign’s ephemeral and adaptive tactics.
Technical Analysis: Electron-Based Stealer Campaigns
The fake games are built using the Electron framework, a commonly used tool for legitimate cross-platform apps, which packages the infostealer payload inside seemingly innocuous setup files.
The malware is typically delivered as a large Windows executable utilizing the Nullsoft Installer (NSIS), which contains an embedded ASAR archive holding malicious JavaScript code.
Once launched, the malware employs sophisticated sandbox detection techniques, checking hostnames, hardware configurations, GPU information, and system memory to evade security researchers. It often aborts with fake error messages if analysis is suspected.
If undetected, the malware harvests sensitive browser data (cookies, passwords, form data) by running browsers in debug mode. Discord tokens, Steam credentials, and logins for gaming and messaging platforms are also targeted.
Exfiltration occurs via public file-sharing services (e.g., gofile.io, file.io), allowing the malware to fetch and execute additional payloads, thereby enabling follow-up attacks.
Notably, researchers discovered the original, unobfuscated JavaScript source code in an RMC Stealer sample, which greatly assisted technical analysis and highlighted operational errors among cybercriminals, who frequently communicate and comment in Portuguese or Turkish.
Impact and Protection
Acronis Cyber Protect Cloud has already detected and blocked these threats; however, the campaign’s evolving tactics and use of social media highlight the increasing risks facing gamers and underscore the importance of vigilance when downloading unofficial game installers.
Cybersecurity experts advise users to trust only official distribution channels and exercise caution when encountering links or downloads shared in gaming communities, particularly on Discord.
Indicators of Compromise (IoC)
SHA256
5c7c70ab9734838795050a91f08f1af9e3cb479caf20bd34944282e8ac455ea7
813e5923e6d4df56055f5b5200db2e074e89f64dea3099e61fbde78c0fc23597
567fb96e8b101abc45f2dfba470ea8a7298063f7428409d8b7e5c8f4326b6dc0
b9adcf54b09475ed2023f5b3c03e23013e65195b4e8bfbb82c8c13fde194b2d4
 has uncovered an alarming cybercrime campaign exploiting the popularity of Discord.){kind=link}