Massive YouTube Malware Ring Uncovered by Researchers
▼ Summary
– Check Point researchers uncovered a large-scale malware operation called the “YouTube Ghost Network” that used over 3,000 videos on compromised or fake channels.
– The network lured viewers with offers of game cheats and cracked software but instead delivered malware or phishing pages through download links.
– Similar to the Stargazers Ghost Network on GitHub, it used specialized accounts for uploading videos, posting links, and creating fake endorsements to appear legitimate.
– The operation was designed to be resilient by using compromised channels, frequently updating links and payloads, and employing password-protected archives to evade detection.
– Despite Google removing over 3,000 malicious videos after being alerted, the network has been active since 2021 and its operators are unlikely to cease their efforts.
Security researchers have exposed a massive and deceptive malware operation on YouTube, which they named the “YouTube Ghost Network.” This sophisticated scheme used thousands of videos across fake or hijacked channels to distribute dangerous software and phishing links. Viewers were tricked by promises of free game cheats, cracked applications, or pirated software, only to be directed toward harmful downloads instead.
The operation mirrors a previous campaign known as the Stargazers Ghost Network, which misused GitHub accounts in a similar way. Both networks function like a malware distribution service, carefully organized to appear legitimate while targeting unsuspecting users.
In the YouTube version, different types of accounts played specific roles. Video accounts uploaded enticing content, such as offers for Adobe Photoshop cracks or Roblox hacks, and included links to password-protected files hosted on services like Dropbox or Google Drive. Instructions often advised users to disable Windows Defender before installation, a major red flag for security risks.
Post accounts shared the same malicious links through YouTube’s community tab, while interact accounts flooded video comment sections with fake positive feedback. This created an illusion of trustworthiness, making the scam harder for viewers to detect.
Researchers pointed out that while email phishing is still common, cybercriminals are increasingly turning to platform-based strategies like Ghost Networks. These campaigns exploit the built-in trust people place in established platforms and use engagement features, such as comments and community posts, to run large-scale, persistent malware operations. One expert described the method as “casting nets across the web,” where users essentially infect themselves by following the attackers’ instructions.
The YouTube Ghost Network was built to be both stealthy and resilient. Most accounts were legitimate channels that had been compromised. If one channel got banned, the operators simply replaced it. Because responsibilities were divided among many accounts, the network could continue operating even after partial takedowns.
Threat actors regularly refreshed download links and malware payloads, allowing infections to persist despite removal efforts. They used password-protected archives, multiple file hosting platforms, and frequently updated command-and-control servers to avoid automated detection and manual review by security teams.
Most of the malware distributed through this network consisted of information stealers, with Lumma Stealer and Rhadamanthys being the most prominent. These programs are designed to harvest sensitive data like passwords, cryptocurrency wallets, and browser cookies from infected devices.
Although the network has been active since at least 2021, the volume of malicious videos tripled in 2025. Following reports from researchers, Google removed more than 3,000 harmful videos, significantly disrupting the operation. However, security experts warn that the individuals behind these campaigns are unlikely to stop, and similar threats are expected to reemerge on other platforms.
(Source: HelpNet Security)
