A new campaign exploits the trust of unsuspecting gamers, luring victims into downloading information-stealing malware disguised as beta versions of video games. The campaign, detailed in a Malwarebytes report, primarily targets users through Discord direct messages, emails, or text messages, often presented as personal requests from “game developers” seeking beta testers.
Targeting Discord users
Victims are enticed to download a game installer from links hosted on platforms such as Dropbox, Catbox, or even Discord’s content delivery network (CDN). The archives, often password-protected to evade detection by AV tools, contain installers that deliver malware instead of a playable game. The attackers use compromised Discord accounts to add credibility to the scam.
Several information-stealing trojans are being spread through this method, including Nova Stealer, Ageo Stealer, and Hexon Stealer. Each of these malware variants specializes in pilfering sensitive data, such as:
- Browser-stored credentials
- Discord and Steam session cookies
- Cryptocurrency wallet details
- Saved passwords, autofill data, and credit card information
The Nova and Ageo stealers operate as Malware-as-a-Service (MaaS), where threat actors rent malware and infrastructure to other criminals. These stealers also use Discord webhooks to send stolen information directly to the attacker in real time. Hexon Stealer, a relatively new player in the malware space, is based on the Stealit Stealer code and boasts capabilities like exfiltrating two-factor authentication (2FA) backup codes and expanding compromised Discord networks.
The campaign’s focus on Discord credentials enables attackers to hijack accounts and manipulate users’ social circles. Stolen credentials provide access to victims’ friends and contacts, allowing criminals to masquerade as trusted acquaintances and propagate the scam further. This snowball effect helps attackers build larger networks of compromised accounts, increasing the potential for financial theft and other fraudulent schemes.
Fake game websites
The malware distribution relies heavily on fake game websites, many of which follow a templated design for easy replication and deployment. These sites are often hosted on uncooperative hosting services and protected by Cloudflare, making takedown efforts difficult. Some campaigns also use Blogspot for hosting, leveraging its standardized templates to create convincing but malicious pages.
CyberInsider
Malwarebytes identified several domains used in this campaign. Users should avoid interacting with the following sites:
- dualcorps[.]fr
- leyamor[.]com
- crystalsiege[.]com
- crystalsiege[.]online
- dungeonofdestiny[.]pages.dev
- mazenugame[.]blogspot.com
- yemozagame[.]blogspot.com
- domenugame[.]blogspot.com
To protect against such threats, users are advised to ensure their antivirus tool is up-to-date and actively running on their device, confirm messages from “friends” on another platform or through direct communication, and avoid acting on messages that request downloads or installations.
ESET Warns 32 Million Germans They Need to Move From Windows 10
Leave a Reply