YouTube Video Malware Traps in Massive Ghost Network Operation Expose 3,000 Videos
YouTube Video Malware Traps in Massive Ghost Network Operation Expose 3,000 Videos
“A massive number of YouTube Accounts are spreading videos about downloading malware.”
In essence, a malicious network of YouTube accounts has been seen utilizing the popularity and trust of the video hosting platform to spread dangerous payloads by uploading and promoting films that result in malware downloads.
Since it began operating in 2021, the network has released over 3,000 malicious movies, and since the year began, the number of these videos has tripled. Check Point has given it the moniker “YouTube Ghost Network.” Since then, Google has taken action to take down most of these videos.
To infect gullible viewers looking for them with stealer malware, the campaign uses hacked accounts. It substitutes its material with “malicious” videos that focus on Roblox game cheats and unlicensed software.
From 147,000 to 293,000 views, some of these films have amassed hundreds of thousands of viewers.
Eli Smadja, Security Research Group Manager, Check Point
| “To make malicious content appear safe, this operation used trust signals, such as views, likes, and comments.”
“What appears to be a useful instruction may turn out to be a well-crafted cyber trap. This network’s size, modularity, and sophistication make it a model for how threat actors currently use interaction tools as a weapon to disseminate malware.
“The constant change in malware dissemination techniques shows how resourceful and adaptive threat actors are at getting around traditional security measures.”
“Adversaries are moving more and more in the direction of more advanced, platform-based tactics, such as the use of Ghost Networks.”
“These networks organize extensive, enduring, and extremely successful malware campaigns by taking advantage of the confidence that comes with authentic accounts and the interaction features of well-known platforms.” |
YouTube being used to spread malware is not a recent development. Threat actors have been known for years to broadcast tutorial-style videos with captions that refer to malicious URLs that, when clicked, result in malware by either taking over legitimate channels or creating new accounts.
These assaults are a part of a larger pattern in which hackers use trustworthy platforms for malicious ends, transforming them into a powerful channel for the spread of malware. Some of the campaigns have taken advantage of GitHub as a delivery system, like the Stargazers Ghost Network, while others have misused legal ad networks, such as those connected to search engines like Google or Bing.
One of the primary reasons Ghost Networks have become so popular is that, because of their role-based structure, they can be used to both increase the perceived legitimacy of the links shared and continue to function even in the event that the platform owners ban or remove the accounts.
Antonis Terefos, Security Researcher
| “While fostering a false sense of trust, these identities exploit a variety of platform features, including videos, descriptions, posts (a lesser-known YouTube function akin to Facebook posts), and comments, to push dangerous content and spread malware.”
“Most of the network is made up of compromised YouTube accounts that are given particular operational duties after they are joined. Because banned accounts may be quickly replaced without interfering with the operation as a whole, this role-based structure allows for more covert dissemination. |
There are three specific types of accounts:
- Video Accounts: These have the ability to post phishing videos along with descriptions that provide links to download the advertised software (the links can even be included in the video as part of the installation process or shared as a pinned remark).
- Post Accounts: These are in charge of posting posts with links to other websites and community messaging.
- Interact Accounts: To lend the videos an air of legitimacy and trust, these accounts can like and leave supportive comments.
In addition to phishing pages hosted on Google Sites, Blogger, and Telegraph, the links take readers to a variety of services such as MediaFire, Dropbox, or Google Drive, which then provide links to download the purported software.
Frequently, URL shorteners are used to hide the URLs in order to conceal the actual destination.
Lumma Stealer, Rhadamanthys Stealer, StealC Stealer, RedLine Stealer, Phemedrone Stealer, and other Node. JS-based loaders and downloaders are among the malware families that are disseminated over the YouTube Ghost Network.
- For more than a year, the channel @Sound_Writer (9,690 subscribers) has been compromised to post movies of bitcoin software that deploy Rhadamanthys.
- On December 3, 2024, and January 5, 2025, a channel called @Afonesio1 (129,000 subscribers) was compromised to post a video promoting a cracked version of Adobe Photoshop to disseminate an MSI installer that launches Hijack Loader, which subsequently downloads Rhadamanthys.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
WormGPT Chatbot Doesn’t Say “No” To Hackers Know Why?
About Author
English