Cybersecurity firm Check Point Research (CPR) has exposed the Ghost Network, a highly sophisticated, large-scale, and financially motivated “malware distribution operation.” While active since 2021, its malicious video output dramatically tripled in 2025, demonstrating a concerning increase in its effectiveness and scope.
CPR’s investigation identified and reported over 3,000 malicious videos, leading to a direct partnership with Google for their mass removal and disruption of the criminal activities.
The Ghost Network’s Structure
According to CPR’s analysis, the network’s success lies in its advanced, modular, role-based structure designed for resilience against platform bans. This means the entire operation is split into specialised, replaceable parts (modules) where the roles are divided into three primary categories:
Video-accounts:
These are the primary distribution points, typically comprising hijacked legitimate channels (some with high subscriber counts, like @Afonesio1) whose original content is wiped. They then upload fake, tutorial-style videos as the main lure.
Post-accounts:
These utilise less-monitored platform features like YouTube‘s community messages to distribute updated download links and the necessary passwords for the malicious files, ensuring the attack remains viable even if video links are removed.
Interact-accounts:
These use automated bots to flood comments with fake positive endorsements, artificially inflating the video’s engagement and creating a critical illusion of legitimacy.
This specialised division allows operators to quickly replace any single banned account without disrupting the overall campaign. The most-watched malicious video in the research targeted Adobe Photoshop and had a massive 293,000 views and 54 comments.
The Attack Chain: Lures, Payloads, and Evasion
The entire operation is a clear example of financially motivated cybercrime, targeting users searching for illicit digital goods, such as cracked software (such as Adobe Photoshop, Microsoft Office) or video game cheats (like Roblox). The infection begins when a user clicks a malicious link directing them to a file hosted on trusted cloud services (like Dropbox, MediaFire, or Google Drive) to evade security.
Criminals then use social engineering to trick the victim into downloading a password-protected file and, critically, disabling anti-virus software like Windows Defender. The final payload is a dangerous Infostealer malware (predominantly Lumma Stealer– before its disruption– or Rhadamanthys Stealer) designed to steal sensitive data, including browser credentials, session cookies, and cryptocurrency wallet information.
To maintain persistence, threat actors rapidly rotate their Command-and-Control (C2) infrastructure every few days to evade automated detection or blacklisting. It must be noted that CPR has not publicly attributed this network to any known APT group.
It is worth noting that this is not a new concept; the researchers mention that it is similar to the Stargazers Ghost Network previously found on GitHub. The key lesson, as concluded by Check Point Research, is acknowledging “how easily trust can be manipulated at scale and how effective collaboration can be in countering it,” making coordinated defence mandatory.
