A sophisticated malware distribution campaign leveraging over 3,000 malicious YouTube videos has been uncovered, targeting users seeking pirated software and game cheats.
The YouTube Ghost Network represents a coordinated ecosystem of compromised accounts that exploit platform features to distribute information-stealing malware while creating false trust through fabricated engagement.
Active since 2021, the network has dramatically escalated operations in 2025, with malicious video production tripling compared to previous years.
The campaign primarily focuses on two high-traffic categories: game modifications and cracked software applications.
The most viewed malicious video advertises Adobe Photoshop, accumulating 293,000 views and 54 comments, while another promoting FL Studio reached 147,000 views.
These videos direct victims to file-sharing platforms where password-protected archives containing malware await download. Common passwords include “1337” and “2025”, with instructions consistently advising users to disable Windows Defender before execution.
Check Point researchers identified the network’s operational structure, revealing three distinct account roles working in coordination.
Video-accounts upload deceptive content with download links embedded in descriptions or pinned comments.
Post-accounts maintain community messages containing external links and archive passwords, frequently updating them to evade detection.
Interact-accounts generate artificial legitimacy by posting encouraging comments and likes, manipulating victims into believing the software functions as advertised.
The distributed malware consists primarily of infostealers, with Lumma dominating until its disruption between March and May 2025.
.webp "YouTube Ghost Malware Network With 3,000+ Malicious Videos Attacking Users to Deploy Malware 3")
Following this takedown, threat actors pivoted to Rhadamanthys as their preferred payload. The latest Rhadamanthys variant (v0.9.2) communicates with command-and-control servers including hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n, exfiltrating credentials and sensitive user data.
Detection Evasion Through Technical Sophistication
The campaign employs multiple layers of evasion to bypass security measures and maintain persistence.
Attackers host files on legitimate platforms such as MediaFire, Dropbox, and Google Drive, exploiting user trust in these services.
Large archive files exceeding 189MB prevent automated virus scanning on Google Drive, while password protection blocks security solutions from analyzing contents.
Shortened URLs conceal true destinations, and phishing pages hosted on Google Sites further legitimize the operation.
The malware infrastructure demonstrates rapid adaptability, with actors updating payloads every three to four days and rotating command-and-control servers with each release.
MSI installer files exhibit low detection rates, with recent samples evading 57 of 63 security vendors on VirusTotal.
Campaign updates maintain timestamps indicating continuous operation, with recent variants compiled on September 21 and 24.
One analyzed archive contained HijackLoader as the initial payload, subsequently delivering Rhadamanthys with communication to hxxps://5.252.155[.]99/gateway/r2sh55wm.a56d3.
This short-lived build strategy prevents reputation-based blocking mechanisms from accumulating sufficient data to identify threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
