Behind titles like Baruda Quest and Warstorm Fire lie Leet Stealer, RMC Stealer and Sniffer Stealer: a family of malware designed to steal data and spread by exploiting the interest in gaming
Acronis, global leader in the cybersecurity and in the data protection, announces that the Acronis Threat Research Unit (TRU) team has identified a new malware campaign in which a family of infostealers is distributed in the form of indie video games and spread mainly through Discord with the support of promotional sites and content specifically created to mislead users.
The malware involved – Leet Stealer, RMC Stealer (a variant) and Sniffer Stealer – present themselves as unreleased or soon-to-be-released video games, with catchy names such as Baruda Quest, Warstorm Fire and Dire Talon. The files are shared within online communities, where users, attracted by the possibility of trying "preview" games, unknowingly download malicious software.
To make the deception more credible, cybercriminals create dedicated websites, YouTube videos and graphic materials copied from real titles. Once executed, fraudulent installers collect sensitive information such as login credentials, cookies, Discord tokens, cryptocurrency data, and private messages.
Thanks to a mistake by the malware author, Acronis analysts were able to access the unobfuscated source code of one of the variants – RMC Stealer – gaining in-depth insight into how it works. The malware employs advanced techniques to avoid sandboxes, collects data from all major browsers, and is capable of downloading other malicious payloads.
Many of the analyzed samples contained references in Portuguese or Turkish, indicating a probable origin in Brazil or Türkiye. However, the number of infections recorded in the United States confirms a now widespread global distribution, favored by international platforms such as Discord.
Acronis Cyber Protect Cloud detects and blocks these threats, providing effective protection against data theft, extortion, and account compromise, while preventing the spread of malware to other users.
