Rescana Cyber Threat Intelligence

Executive Summary

A sophisticated and large-scale malware distribution campaign, identified as the YouTube Ghost Network, has been exposed by Check Point Research. This operation weaponized over 3,000 YouTube videos, leveraging both fake and compromised accounts to disseminate a range of infostealer malware families. The campaign exploited YouTube’s inherent trust signals—such as high view counts, likes, and positive comments—to lure unsuspecting users into downloading malicious payloads. These payloads were typically disguised as cracked software, gaming cheats, or other high-demand digital goods. The operation’s modular structure, rapid account replacement, and use of legitimate cloud services for payload delivery have enabled it to evade detection and takedown efforts for years, making it one of the most persistent and impactful social platform-based malware campaigns to date.

Threat Actor Profile

The actors behind the YouTube Ghost Network have not been publicly attributed to any known Advanced Persistent Threat (APT) group. The tactics, techniques, and procedures (TTPs) observed are consistent with financially motivated cybercriminal operations rather than nation-state actors. The campaign demonstrates a high degree of operational security and automation, with a clear focus on scalability and resilience. The threat actors utilized a modular account structure, separating roles into video uploaders, community post publishers, and engagement manipulators. This division of labor allowed for rapid replacement of banned accounts and continuous operation despite platform enforcement actions. The use of both fake and compromised high-subscriber YouTube channels further amplified the reach and credibility of the campaign.

Technical Analysis of Malware/TTPs

The YouTube Ghost Network campaign has been active since at least 2021, with a significant escalation in 2025. Over 3,000 malicious videos were identified, some garnering between 147,000 and 293,000 views. The infection chain typically begins with a victim searching for cracked software or game cheats, leading them to a YouTube video that appears legitimate due to high engagement metrics. The video description, pinned comment, or community post contains a link—often shortened—to a file hosted on services such as Dropbox, Google Drive, MediaFire, or phishing pages on Google Sites, Blogger, or Telegraph.

Victims are instructed to disable Windows Defender or other security tools and download a password-protected archive. This archive, once extracted and executed, delivers one or more infostealer malware families. The most prevalent malware observed includes Rhadamanthys Stealer, Lumma Stealer, StealC Stealer, RedLine Stealer, Phemedrone Stealer, and various Node.js-based loaders and downloaders. In some cases, a Hijack Loader is used as a dropper to deploy Rhadamanthys.

These infostealers are designed to exfiltrate sensitive data, including browser credentials, cryptocurrency wallets, and system information, to command-and-control (C2) servers. The campaign employs frequent C2 rotation, with infrastructure changing every few days to evade blacklisting. The use of password-protected archives and legitimate cloud storage services helps bypass traditional security controls and detection mechanisms.

Notable YouTube channels used in the campaign include @Sound_Writer (9,690 subscribers), which uploaded cryptocurrency software videos deploying Rhadamanthys, and @Afonesio1 (129,000 subscribers), which was compromised to distribute cracked Adobe Photoshop installers that dropped Hijack Loader and subsequently Rhadamanthys.

The campaign’s TTPs align with several MITRE ATT&CK techniques, including T1566.002 (Phishing: Spearphishing via Service), T1204.002 (User Execution: Malicious File), T1071.001 (Application Layer Protocol: Web Protocols), T1555 (Credentials from Password Stores), and T1567.002 (Exfiltration Over Web Service).

Exploitation in the Wild

The exploitation phase of the YouTube Ghost Network is characterized by its broad targeting of users seeking free or pirated software and gaming cheats. The campaign’s success is largely attributed to its manipulation of YouTube’s engagement metrics, which creates a veneer of legitimacy and trust. High view counts, numerous likes, and positive comments—often generated by dedicated “interact accounts”—convince victims that the videos are safe and widely used.

Once a victim follows the provided link and disables their security software as instructed, the infection process is almost guaranteed. The use of password-protected archives further reduces the likelihood of detection by endpoint security solutions. The campaign’s modular account structure ensures persistence, as banned or removed accounts are quickly replaced, and new videos are uploaded to maintain the operation’s momentum.

The campaign has been observed to adapt rapidly to platform enforcement actions, with threat actors updating links, passwords, and even video content to circumvent takedowns. The use of legitimate cloud services for payload delivery complicates efforts to block malicious content, as these services are often essential for business operations and cannot be wholesale blacklisted without impacting productivity.

Victimology and Targeting

The primary victims of the YouTube Ghost Network are individuals searching for cracked or pirated versions of popular software, gaming cheats, and cryptocurrency tools. The campaign does not exploit vulnerabilities in the targeted products themselves but rather leverages the demand for unauthorized software to entice users into self-infection. The most commonly abused product families include Adobe Photoshop, FL Studio, Microsoft Office, Adobe Lightroom, Roblox game cheats, and various cryptocurrency wallet and trading applications.

Victims are typically located in regions with high rates of software piracy and gaming activity, although the global reach of YouTube ensures that users from virtually any geography can be affected. The campaign’s reliance on social engineering, rather than technical exploitation, means that any user—regardless of technical proficiency—can fall victim if they are enticed by the promise of free or enhanced software.

The operation’s use of compromised high-subscriber channels increases the likelihood of targeting more technically savvy users, as these channels often have established reputations and large followings. However, the majority of victims are likely to be individuals with limited cybersecurity awareness, making user education a critical component of any mitigation strategy.

Mitigation and Countermeasures

Organizations should implement network controls to block access to known malicious file-sharing and phishing domains, including Dropbox, Google Drive, MediaFire, Google Sites, Blogger, and Telegraph, unless these services are business-critical. Security teams should monitor for the download of password-protected archives from these services, as this is a common indicator of compromise associated with the campaign.

User education is paramount. Employees and end users must be made aware of the risks associated with downloading cracked software and disabling security tools at the request of online tutorials or installers. Security awareness training should emphasize the dangers of social engineering and the importance of verifying the legitimacy of software sources.

Endpoint protection solutions with advanced behavioral detection capabilities should be deployed to identify and block infostealer malware such as Rhadamanthys, Lumma, and related families. Regular updates to threat intelligence feeds and proactive hunting for indicators of compromise (IOCs) associated with the YouTube Ghost Network are recommended.

For individuals, the most effective countermeasure is to avoid downloading software from unofficial or cracked sources and to never disable antivirus or Windows Defender at the request of an installer. Highly liked and viewed “free” software videos should be treated with skepticism, as engagement metrics can be easily manipulated by threat actors.

References

Check Point Research: The YouTube Ghost Network https://research.checkpoint.com/2025/youtube-ghost-network/

The Hacker News: 3,000 YouTube Videos Exposed as Malware Traps https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.html

Help Net Security: Researchers expose large-scale YouTube malware distribution https://www.helpnetsecurity.com/2025/10/23/youtube-malware-distribution-network-ghost/

The Register: Google and Check Point nuke massive YouTube malware network https://www.theregister.com/2025/10/23/youtube_ghost_network_malware/

MITRE ATT&CK: Rhadamanthys Stealer https://attack.mitre.org/software/S1041/

MITRE ATT&CK: Lumma Stealer https://attack.mitre.org/software/S1042/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our platform leverages advanced threat intelligence, automation, and continuous monitoring to deliver actionable insights and enhance your organization’s security posture. For more information about how Rescana can help you manage cyber risk, we are happy to answer questions at ops@rescana.com.