Tweaks Stealer Targets Roblox Users Through YouTube and Discord

MITRE Techniques

• [T1566] Phishing – The attackers use YouTube videos on FPS to lure users into joining Discord groups and downloading malicious files. Quote: “The attackers leverage YouTube by enticing users to watch videos on ‘How to increase FPS’ that contain links to their Discord groups.”
• [T1082] System Information Discovery – The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user’s location including the following fields: country, region, city, and approximate location. Quote: “The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user’s location including the following fields: country, region, city, and approximate location.”
• [T1064] Scripting – The stealer is Powershell-based and exfiltrates sensitive data like user information, location, Wi-Fi profiles, and passwords, Roblox IDs, and in-game currency details. Quote: “The stealer is Powershell-based and exfiltrates sensitive data like user information, location, Wi-Fi profiles, and passwords, Roblox IDs, and in-game currency details.”
• [T1010] Application Windows Discovery – The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user’s location including country, region, city, and approximate location. Quote: “The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user’s location including the following fields: country, region, city, and approximate location.”
• [T1047] Windows Management Instrumentation – The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user’s location including the country, region, city, and approximate location. Quote: “The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user’s location including the following fields: country, region, city, and approximate location.”
• [T1016.002] Wi-Fi Discovery – The Tweaks malware can steal Wi-Fi profiles and passwords. Quote: “The malware can steal Wi-Fi profiles and passwords.”
• [T1016] System Network Configuration Discovery – The malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information. Quote: “The malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information.”
• [T1059] Command and Scripting Interpreter – The Tweaks malware is Powershell-based. Quote: “The Tweaks malware is Powershell-based.”
• [T1018] Remote System Discovery – Not explicitly described in the article’s actions; technique listed in the article’s MITRE mapping as part of the overall framework. Quote: “MITRE Techniques” section lists multiple techniques including Remote System Discovery.
• [T1562] Disable or Modify Tools – The campaign includes instructions to disable antivirus software to facilitate infection. Quote: “Roblox players were instructed to disable their antivirus software to ensure the smooth operation of a ‘PC optimizer’…”