YouTube’s Ghost Network is distributing information-stealing malware through over 3,000 fake videos that promise free software, exploiting compromised accounts and deceptive engagement tactics.
YouTube has long been a go-to platform for entertainment, education, and tutorials, offering a video for nearly every interest. However, recent research from Check Point has unveiled a troubling aspect of the platform: a vast malware distribution network operating under the radar. This network, dubbed the Ghost Network, is using compromised accounts, fake engagement, and social engineering to spread information-stealing malware disguised as software cracks and game hacks.
Many victims fall prey to this scheme while searching for free or cracked software, cheat tools, or game hacks. This quest for “free” software serves as the entry point for the Ghost Network’s malicious traps.
According to Check Point Research, the Ghost Network has been active since 2021, with its operations surging threefold in 2025. The network employs a straightforward yet effective strategy that combines social manipulation with technical stealth. Its primary targets include individuals searching for “Game Hacks/Cheats” and “Software Cracks/Piracy.”
Researchers found that the videos associated with this network often feature positive comments, likes, and community posts from compromised or fake accounts. This orchestrated engagement creates a false sense of security for potential victims, leading them to believe the content is legitimate and widely trusted. Even when YouTube removes specific videos or channels, the network’s modular structure and the rapid replacement of banned accounts allow it to persist.
Once a user clicks on the provided links, they are typically directed to file-sharing services or phishing sites hosted on platforms like Google Sites, MediaFire, or Dropbox. The linked files are frequently password-protected archives, complicating antivirus scans. Victims are often prompted to disable Windows Defender before installation, effectively disarming their own protection before executing the malware.
Check Point’s investigation identified that the majority of these attacks deliver information-stealing malware such as Lumma Stealer, Rhadamanthys, StealC, and RedLine. These malicious programs are designed to harvest passwords, browser data, and other sensitive information, which is then sent back to the attackers’ command and control servers.
The resilience of the Ghost Network can be attributed to its role-based structure. Each compromised YouTube account serves a specific function: some upload malicious videos, others post download links, and a third group enhances credibility by engaging with the content through comments and likes. When an account is banned, it is quickly replaced, allowing the operation to continue largely uninterrupted.
Two significant campaigns were highlighted in Check Point’s findings. The first involved the Rhadamanthys infostealer, disseminated through a compromised YouTube channel named @Sound_Writer, which boasted nearly 10,000 subscribers. Attackers uploaded fake cryptocurrency-related videos and utilized phishing pages on Google Sites to distribute malicious archives. These pages instructed viewers to “turn off Windows Defender temporarily,” assuring them that any alerts were false. The archives contained executable files that silently installed the Rhadamanthys malware, which then connected to multiple control servers to exfiltrate stolen data.
The second campaign leveraged a larger channel, @Afonesio1, which had approximately 129,000 subscribers. Attackers uploaded videos claiming to offer cracked versions of popular software such as Adobe Photoshop, Premiere Pro, and FL Studio. One of these videos garnered over 291,000 views and featured numerous positive comments claiming the software functioned flawlessly. The malware was concealed within a password-protected archive linked through a community post. The installer employed HijackLoader to drop the Rhadamanthys payload, which connected to rotating control servers every few days to evade detection.
Even if users do not complete the installation, they may still be at risk. Simply visiting the phishing or file-hosting sites can expose them to malicious scripts or prompts for credential theft disguised as “verification” steps. Clicking the wrong link can compromise login data before any software is even installed.
The Ghost Network thrives on exploiting curiosity and trust. By disguising malware as “free software” or “game hacks,” it relies on users to act before thinking. To protect oneself, adopting habits that make it more difficult for attackers to succeed is crucial.
Most infections begin with individuals attempting to download pirated or modified programs. These files are often hosted on unregulated file-sharing websites where malicious content can easily be uploaded. Even if a YouTube video appears polished or is filled with positive comments, it does not guarantee safety. Official software developers and gaming studios never distribute downloads through YouTube links or third-party sites.
In addition to the dangers posed by malware, downloading cracked software also carries legal risks. Piracy violates copyright law and can lead to serious consequences, while simultaneously providing cybercriminals with an effective delivery channel for malware.
It is essential to have a trusted antivirus solution installed and running at all times. Real-time protection can detect suspicious downloads and block harmful files before they cause damage. Regular system scans and keeping antivirus software updated are vital to recognizing the latest threats.
To safeguard against malicious links that could install malware and potentially access private information, strong antivirus software should be installed on all devices. This protection can also alert users to phishing emails and ransomware scams, helping to keep personal information and digital assets secure.
If a tutorial or installer instructs users to disable their security software, it should raise immediate red flags. Malware creators often use this tactic to bypass detection. There is no legitimate reason to turn off protection, even temporarily; any file requesting such action should be deleted immediately.
Always inspect links before clicking. Hover over them to verify the destination and avoid shortened or redirected URLs that may conceal their true targets. Downloads hosted on unfamiliar domains or file-sharing sites should be treated with caution. When seeking software, it is best to obtain it directly from the official website or trusted open-source communities.
Enabling two-factor authentication (2FA) for important accounts adds an extra layer of security, ensuring that even if someone obtains a password, they cannot access the account. Malware often aims to steal saved passwords and browser data. Using a password manager can help securely store and generate complex passwords, reducing the risk of password reuse.
Software updates not only introduce new features but also fix security vulnerabilities that malware can exploit. Enabling automatic updates for systems, browsers, and commonly used applications is one of the simplest ways to prevent infections.
Even after securing a system, personal information may still be circulating online due to past breaches. A reliable data removal service can continuously scan and request the deletion of personal data from people-search and broker sites, making it more challenging for cybercriminals to exploit exposed information.
Cybercriminals have advanced beyond traditional phishing and email scams. By leveraging a platform built on trust and engagement, they have created a scalable, self-sustaining system for malware distribution. Frequent file updates, password-protected payloads, and shifting control servers make these campaigns difficult for both YouTube and security vendors to detect and dismantle.
Do you believe YouTube is doing enough to combat malware distribution on its platform? Share your thoughts with us at CyberGuy.com.
Source: Original article