More than 3,000 malicious YouTube videos were used to distribute infostealer malware, according to a new report detailing the operation.
Dubbed the “YouTube Ghost Network” by Check Point Research, the large-scale malware distribution operation used fake and compromised YouTube accounts to distribute infostealers like Rhadamanthys and Lumma, the report said.
Most of the videos have now been removed, but the malware operation has been active at least since 2021.
Game hacks and cheats and software cracks and piracy were the most targeted categories. “It is important to emphasize that the use of cracked software is illegal and that such versions frequently contain hidden malware,” Check Point said.
The most viewed malicious videos targeted Adobe Photoshop, with 293,000 views, and FL Studio, with 147,000 views.
Compromised YouTube Accounts Used to Spread Infostealer Malware
Much of the YouTube Ghost Network consists of compromised YouTube accounts that are assigned specific operational roles, such as uploading malicious videos or liking and commenting to create a false sense of trust in a compromised account.
“This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation,” the report said.
The most targeted game from the “Game Hacks/Cheats” category was Roblox, with 380 million monthly active users and about 111.8 million daily active users. In the “Software Cracks/Piracy” category, Adobe products are the main targets, led by Photoshop and Lightroom.
External links in the video posts typically redirect users to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on platforms like Google Sites, Blogspot, or Telegraph (telegra.ph). Those pages then contain links to download the malicious software, and shortened URLs are often used to hide the real destination of the external link.
The description of the videos follows a typical structure, with a download link and shared password. Step-by-step instructions often advise users to temporarily disable Windows Defender to avoid “a false alert.”
“Don’t worry – the archive is clean,” assures one post after telling potential victims to temporarily disable Windows Defender. “Defender may trigger a false alert due to the way Setup.exe works with installations.”
In most cases, the malware distributed is an infostealer. Lumma was initially the most distributed malware before its disruption, followed by Rhadamanthys, and the StealC and Redline infostealers have also been observed.
Compromised YouTube Accounts Distributed Malicious Pirated Photoshop
The report detailed two compromised YouTube channels and accounts.
The YouTube channel @Sound_Writer, with 9,690 subscribers, published videos that were mainly focused on cryptocurrency software and gaming. “Our analysis indicates that this account has been compromised for over a year, as evidenced by the appearance of malicious videos that differ significantly from the channel’s previous content,” Check Point said.
The account @Afonesio1, with approximately 129,000 subscribers, was compromised between December 3, 2024, and January 5, 2025, and has since uploaded four videos to distribute malware.
One of the account’s most viewed videos, with 291,155 views and 54 positive comments, “was used to lure unsuspecting viewers into downloading and executing a cracked version of Adobe Photoshop.”
Within the video’s description was a community message link and the password required to decompress the password-protected archive. The post “received approximately 1,200 likes and numerous positive comments praising the effectiveness of the software solution,” Check Point said. The shortened link in the post redirected users to Dropbox, where the file could be downloaded
The archive contained a file named Adobe.Photoshop.2024.v25.1.0.120.exe, which is a cracked version of Adobe Photoshop. “It remains unclear whether the positive comments originate from real users who inadvertently infected themselves or from ghost accounts promoting the malicious software with AI comments,” the report said.
“The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” Check Point concluded. “While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.”
