Malicious networks of YouTube accounts have been observed publishing and promoting videos that lead to malware downloads, essentially exploiting the popularity and trust associated with video hosting platforms to propagate malicious payloads.
The network, which has been active since 2021, has published more than 3,000 malicious videos to date, with the amount of such videos increasing three times since the beginning of the year. It is codenamed YouTube Ghost Network by Check Point. Google then stepped in to remove the majority of these videos.
The campaign takes hacked accounts and replaces their content with “malicious” videos centered around pirated software and Roblox game cheats, infecting unsuspecting users searching for them with stealer malware. Some of these videos have racked up hundreds of thousands of views, ranging from 147,000 to 293,000.
“This operation used trust signals such as views, likes, and comments to make malicious content appear safe,” said Eli Smadja, security research group manager at Check Point. “What looks like a helpful tutorial could actually be a sophisticated cyber trap. The scale, modularity, and sophistication of this network creates a blueprint for how threat actors weaponize their engagement tools to spread malware.”
The use of YouTube to distribute malware is not a new phenomenon. Over the years, threat actors have been observed to hijack legitimate channels or use newly created accounts to publish tutorial-style videos with instructions pointing to malicious links that, when clicked, lead to malware.
These attacks are part of a broader trend in which attackers repurpose legitimate platforms for malicious purposes, turning them into effective vehicles for malware distribution. Some campaigns have exploited legitimate advertising networks, such as those associated with search engines such as Google and Bing, while others, like the case of Stargazers Ghost Network, have utilized GitHub as a delivery vehicle.
One of the main reasons Ghost Networks has become so popular is that it can be used not only to amplify the legitimacy of shared links, but also to maintain continuity of operations even if an account is banned or deleted by the platform owner due to its role-based structure.
“These accounts leverage various platform features such as videos, descriptions, posts (a lesser-known YouTube feature similar to Facebook posts), and comments to promote malicious content and distribute malware while creating a false sense of trust,” security researcher Antonis Telefos said.
“A large portion of the network is made up of compromised YouTube accounts, which, once added, are assigned specific operational roles. This role-based structure allows for stealthier distribution by allowing banned accounts to be quickly replaced without disrupting overall operations.”
There are certain types of accounts –
Video account that uploads the phishing video and provides a description with a link to download the advertised software (or the link is shared as a pinned comment or provided directly within the video as part of the installation process) Post account: is responsible for publishing posts that include community messages and links to external sites Interact account: posts encouraging comments and likes with the aim of giving the video a semblance of trustworthiness and authenticity
The link directs users to phishing pages hosted on a wide range of services including MediaFire, Dropbox, and Google Drive, as well as Google Sites, Blogger, and Telegraph, which contain links to download the supposed software. In many of these cases, URL shorteners are used to hide the link and hide its actual destination.
Malware families distributed via the YouTube Ghost Network include Lumma Stealer, Rhadamanthys Stealer, StealC Stealer, RedLine Stealer, Phemedrone Stealer, and other Node.js-based loaders and downloaders.
A channel named @Sound_Writer (9,690 subscribers) has been compromised for over a year for uploading videos of cryptocurrency software for deploying Rhadamanthys. A channel named @Afonesio1 (129,000 subscribers) was compromised on December 3, 2024 and January 5, 2025, uploading videos promoting a cracked version of Adobe Photoshop and distributing an MSI installer that deploys Rhadamanthys. Hijack the loader and deliver Rhadamanthys
Check Point said, “The continued evolution of malware distribution methods demonstrates the incredible adaptability and resourcefulness of threat actors in evading traditional security defenses.” “Adversaries are increasingly moving to more sophisticated platform-based strategies, particularly the deployment of ghost networks.”
“These networks leverage the inherent trust of legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.”
Source link
