Dissecting YouTube’s Malware Distribution Network

Research by: Antonis Terefos (@Tera0017)

Key Points

• Check Point Research uncovered and analyzed the YouTube Ghost Network, a sophisticated and coordinated collection of malicious accounts operating on YouTube. These accounts systematically take advantage of YouTube’s features to promote malicious content, ultimately distributing malware while creating a false sense of trust among viewers.
• Our investigation identified and reported more than 3,000 malicious videos associated with this network. The majority of these videos have been removed, significantly reducing the threat to the broader digital ecosystem. The network appears to be active at least since 2021, maintaining a steady output of malicious content each year. Notably, in 2025, the creation of such videos has tripled, highlighting both the scalability and increasing effectiveness of this malware distribution campaign.
• The network primarily targets the “Game Hacks/Cheats” and “Software Cracks/Piracy” categories, areas that continue to attract large numbers of potential victims. It is important to emphasize that the use of cracked software is illegal and that such versions frequently contain hidden malware. The most viewed malicious video in our dataset targets Adobe Photoshop, with 293,000 views and 54 comments, while the second most viewed targets FL Studio, with 147,000 views.
• Prior to the disruption of the Lumma infostealer between March and May 2025, Lumma was the most frequently distributed malware within this network. Following this disruption, we observed a shift in threat actor tactics, with Rhadamanthys becoming the preferred infostealer. Overall, the majority of malware distributed via the YouTube Ghost Network consists of information-stealing malware (infostealers), posing a significant risk to user credentials and sensitive data.

Introduction

In recent years, threat actors have continuously adapted their tactics to discover new and effective methods for malware distribution. While email remains one of the most prominent infection vectors, its effectiveness has diminished due to widespread deployment of security solutions and increased user awareness. Consequently, attackers have sought alternative avenues to reach their targets more efficiently. One notable shift has been the use of malicious Google Ads campaigns, which redirect unsuspecting users to phishing pages designed to deliver malware. Through this approach, attackers cast a wide phishing net, luring users with seemingly legitimate “advertised” content.

More recently, Check Point Research has identified a further evolution in this threat landscape, the emergence of Ghost Networks across multiple platforms. A Ghost Network is defined as a collection of fake or “ghost” accounts operating as a service, manipulating platform engagement mechanisms to disguise malicious activities as benign and enable large-scale malware distribution. The first fully documented instance of such a network was the Stargazers Ghost Network, which operates on GitHub. In this case, ghost accounts host malicious repositories that appear trustworthy, deceiving victims into downloading malicious software.

In this publication, Check Point Research examines another Ghost Network, this time operating on YouTube, which leverages over 3,000 malicious videos with the primary objective of distributing malware. Accounts within these networks are often compromised, and legitimate content is frequently hijacked to host malicious material. These videos typically receive positive engagement, such as likes and encouraging comments, fostering a false sense of trust among viewers. The most frequently targeted content categories are “Game Hacks/Cheats” and “Software Cracks/Piracy”, which continue to attract a substantial number of potential victims, despite the fact that cracking software is illegal and cracked versions often carry hidden malware.

Activity associated with this network appears to have initiated around 2021, coinciding with a marked increase in malicious YouTube videos and likely indicating the network’s inception. From 2021 through 2024, the volume of such videos remained relatively stable. However, in 2025, despite the year not yet being complete, the number of malicious videos has already tripled compared to previous years, highlighting a significant upward trend and underscoring the growing effectiveness of this distribution method.

YouTube Ghost Network

The YouTube Ghost Network is a collection of malicious accounts operating on YouTube. These accounts take advantage of various platform features, such as videos, descriptions, posts (a lesser-known YouTube feature similar to Facebook post) and comments to promote malicious content and distribute malware, while creating a false sense of trust. The majority of the network consists of compromised YouTube accounts, which, once added, are assigned specific operational roles. This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation.

The three primary roles are as follows:

1. Video-accounts, upload “phishing” videos and provide descriptions containing links to download the purported software. To further enhance legitimacy, these accounts often respond to comments from “users” on the malicious videos. After uploading, they may update the description with fresh links.
2. Post-accounts, are responsible for publishing community messages and posts. These accounts share the external download links and passwords for accessing password-protected archives. They frequently update these posts with new links and passwords. In some cases, video-accounts may also directly share the external link and password. Possibly, this type of account uses AI to engage with comments under the videos.
3. Interact-accounts, endorse malicious content by posting positive comments or liking videos and posts, thereby making it appear safe and trustworthy.

In addition to the typical methods described above, we have observed several variations in the tactics employed by video-accounts:

1. Sharing the external link directly in the description.
2. Sharing the link as a pinned comment.
3. Not sharing any links either in the description or in the comments, instead sharing the password and link during the video “installation” process.

The external links provided typically redirect users to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on platforms like Google Sites, Blogspot, or Telegraph (telegra.ph). These pages contain further links to download the malicious software. Frequently, shortened URLs are used to hide the true destination of the external link.

The description of such videos follows a typical “structure”, with a download link and password shared. Step-by-step instructions are often provided, commonly advising users to “temporarily” disable Windows Defender. In most cases, the malware distributed is an infostealer, designed to exfiltrate user information and credentials to a malicious command and control (C2) server.

Check Point Research has been monitoring the YouTube Ghost Network for approximately a year and has identified multiple malware families, primarily infostealers, with Lumma and Rhadamanthys being among the most prevalent. From 2024 until the disruption of Lumma between March and May 2025, Lumma was the most frequently distributed malware. Following this disruption, threat actors shifted to distributing Rhadamanthys as the preferred infostealer.

• Rhadamanthys
• Lumma Stealer
• StealC
• RedLine
• 0debug and other Phemedrone variants
• NodeJS based loaders and downloaders
• …

Campaign I – Rhadamanthys

The YouTube channel @Sound_Writer, with 9,690 subscribers, has published several videos primarily focused on cryptocurrency software and gaming, accumulating approximately 24,000 views in total. Our analysis indicates that this account has been compromised for over a year, as evidenced by the appearance of malicious videos that differ significantly from the channel’s previous content.

One video, which has garnered around 10,000 views, advertises cryptocurrency software and instructs viewers to follow a link provided in the description. This link redirects users to a phishing page hosted on sites.google.com, created by the threat actor, which also shares the password for a password-protected archive containing the malicious payload.

Although the shared archive is malicious, the software does not function as claimed, and the executable is not bundled with any legitimate application, the video has received 42 comments, the majority of which are overwhelmingly positive and encourage viewers to download and execute the program. These comments are likely posted by compromised or malicious accounts, further convincing victims to proceed with the installation.

The victims are redirected to the phishing site hosted on Google, where they are provided with installation instructions. A common step in these instructions is “Turning off Windows Defender”, a step often instructed in the installation guide for potential victims. Eventually, the malware runs on an unprotected machine. Full Message:

Turn off Windows Defender temporarily
Don't worry — the archive is clean. Defender may trigger a false alert due to the way Setup.exe works with installations.

During this campaign, the threat actor utilized two different platforms to host the same malicious file, providing redundancy and increasing stealth in case one instance was detected or reported. Another observed tactic is the upload of large files, which are often overlooked by automated scanning systems. Additionally, password-protected archives are used to evade inspection, as security solutions cannot decompress and analyze the contents without the password.

The archive contains multiple files designed to masquerade as legitimate software. Based on compilation and modification timestamps, the campaign likely began on 8 September.

The delivered payload is the latest version of Rhadamanthys infostealer (v0.9.2), which was observed communicating with the command-and-control (C2) endpoint hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n.

On 23 September, the threat actor replaced the original payload with a new version and updated the links on their sites.google.com phishing page. This campaign continues to distribute fresh malware, leveraging YouTube as a primary distribution channel.

Subsequently, the actor switched to new Rhadamanthys v0.9.2 control servers: openai-pidor-with-ai[.]com:6343 and 178[.]16.53.236:6343, using the path /gateway/pqnrojhl.adc7k. The actor’s low-effort updates enable continuous distribution of the Rhadamanthys infostealer, significantly increasing the campaign’s persistence and reach.

Campaign II – HijackLoader & Rhadamanthys

The YouTube account @Afonesio1, with approximately 129,000 subscribers, was compromised between December 3, 2024, and January 5, 2025. Since the compromise, the account has uploaded four videos to distribute malware.

One of the most viewed videos, with 291,155 views and 54 positive comments, was used to lure unsuspecting viewers into downloading and executing a cracked version of Adobe Photoshop.

Within the video’s description, a community message link and the password required to decompress the password-protected archive are provided. The community post also includes the download link and archive password. This post received approximately 1,200 likes and numerous positive comments praising the effectiveness of the software solution. The short link shared in the post redirects users to Dropbox, where the file can be downloaded: hxxps://www.dropbox[.]com/scl/fi/9cwpoorh4xmxxpyssxdwi/Adobe.Premiere.Pro.2025.rar?rlkey=d1p8taclagn2brrdrg0qlic47&st=23bxjuyi&dl=1

The specific account and post are responsible for distributing the latest link, which delivers a password-protected archive. This account has previously published multiple posts promoting various software products, including Adobe Photoshop, Adobe Premiere Pro, Lightroom, Filmora, FL Studio, and CorelDRAW. Notably, these applications appeal to a targeted audience of YouTubers and other content creators, suggesting that the threat actor may be deliberately tailoring their campaign toward this demographic.

The downloaded archive contains an MSI file with both compilation and modification timestamps of 21 September, indicating the likely start date of the campaign. The same file was first observed on VirusTotal on that date, exhibiting a low detection rate.

Notably, the archive also contains a file named Adobe.Photoshop.2024.v25.1.0.120.exe, which is in fact a cracked version of Adobe Photoshop. It remains unclear whether the positive comments originate from real users who inadvertently infected themselves or from ghost accounts promoting the malicious software with AI comments.

The MSI installer within the archive contains multiple files. Analysis of the CustomAction table using lessmsi reveals that the executable bw97v41m.exe is launched first, before being written to disk as Remote-Vector32.exe. The payload identified is HijackLoader, which subsequently delivers the Rhadamanthys infostealer. In this campaign, Rhadamanthys was observed communicating with the command-and-control (C2) server at hxxps://5.252.155[.]99/gateway/r2sh55wm.a56d3.

On 24 September, the attacker updated the archive and added new download links. The updated Rhadamanthys malware communicates with hxxps://5.252[.]155.231/gateway/3jw9q65j.b3tit. The VirusTotal detection score for this sample was even lower than previous submissions, indicating a high likelihood that the attack could evade detection by most antivirus solutions.

The attacker appears to release a new version of the malware every three to four days, rotating control servers (C2s) with each update. These short-lived builds and frequent C2 changes undermine reputation-based detection mechanisms. Each new sample and C2 endpoint appears new to security systems, preventing the accumulation of reputation data and making it more difficult to block the campaign.

Network Statistics

Targeting users through Ghost Networks is analogous to casting nets across the web, users must approach and essentially infect themselves. To attract these users, threat actors offer a variety of tailored solutions designed to appeal to specific audiences. By analyzing more than 3,000 video titles, we identified and categorized the user groups that were most frequently targeted and most actively engaged.

The most targeted game from the “Game Hacks/ Cheats” is Roblox, with 380 million monthly active users and about 111.8 million daily active users. In the “Software Cracks/Piracy” category, Adobe products are the primary targets, with Photoshop and Lightroom leading the list. The most viewed malicious video in our dataset targets Adobe Photoshop, amassing 293,000 views and 54 comments, while the second most viewed targets FL Studio, with 147,000 views. Although the game category contains a greater number of videos, the total view counts are significantly lower compared to those in the software category.

Conclusion

The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses. While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.

The YouTube Ghost Network, as uncovered in our investigation, exemplifies this new paradigm. By systematically compromising accounts and assigning them specialized roles, such as content creation, community engagement, and trust-building, threat actors are able to maintain operational continuity even in the face of account bans or takedowns. This modular, role-based structure not only increases the resilience of the network but also enables rapid adaptation to platform countermeasures, making detection and disruption significantly more challenging for defenders.

Our analysis of over 3,000 malicious videos revealed a clear targeting strategy, content is tailored to appeal to high-engagement user groups, such as gamers seeking cheats and individuals searching for cracked or pirated software. The use of positive comments, likes, and community posts further amplifies the perceived legitimacy of these campaigns, increasing the likelihood of user interaction and self-infection. The sharp rise in malicious video uploads in 2025, tripling previous years’ volumes, underscores the scalability and growing effectiveness of this distribution model.

The technical sophistication of these campaigns is further evidenced by the use of password-protected archives, redundant hosting platforms, and frequent updates to both payloads and command-and-control (C2) infrastructure. These tactics are specifically designed to evade automated detection, reputation-based blocking, and manual review by both platform operators and security vendors.

The implications for the cybersecurity community are significant. As threat actors continue to innovate, collaboration between security researchers, platform providers, and law enforcement becomes increasingly critical. Proactive threat intelligence sharing, rapid takedown of malicious content, and continuous improvement of detection technologies are essential to counteract these evolving threats. Additionally, user education remains a vital line of defense, individuals must be made aware of the risks associated with downloading software from unofficial sources and the deceptive tactics employed by cybercriminals.

Check Point Research’s comprehensive investigation into the YouTube Ghost Network has not only exposed the operational playbook of these actors but has also led to tangible disruption. By reporting over 3,000 malicious videos to Google, we have directly contributed to the dismantling of this network and the protection of countless users worldwide. However, the persistence and adaptability of these campaigns highlight the need for ongoing vigilance, innovation, and cross-sector cooperation to safeguard the digital ecosystem against the next generation of malware distribution strategies.

Protections

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.

Indicators of Compromise

Description	Value
Campaign I, Set-up.zip	92c26a15336f96325e4a3a96d4206d6a5844e6a735af663ba81cf3f39fd6bdfe
Campaign I, Set-up.exe, Rhadamanthys	b429a3e21a3ee5ac7be86739985009647f570548b4f04d4256139bc280a6c68f
Campaign I, Rhadamanthys C&C	hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n
Campaign I, Set-up.zip, 23/9	da36e5ec2a8872af6e2f7e8f4d9fdf48a9c4aa12f8f3b3d1b052120d3f932f01
Campaign I, Set-up.exe, 23/9, Rhadamanthys	b41fb6e936eae7bcd364c5b79dac7eb34ef1c301834681fbd841d334662dbd1d
Campaign I, Set-up.exe, 23/9, Rhadamanthys C&C	hxxps://openai-pidor-with-ai[.]com:6343/gateway/pqnrojhl.adc7k hxxps://178.16.53[.]236:6343/gateway/pqnrojhl.adc7k
Campaign II, Adobe.Photoshop.2025.rar	7d9e36250ce402643e03ac7d67cf2a9ac648b03b42127caee13ea4915ff1a524
Campaign II, Set-Up.msi	ad81b2f47eefcdce16dfa85d8d04f5f8b3b619ca31a14273da6773847347bec8
Campaign II, Rhadamanthys C&C	hxxps://5.252.155[.]99/gateway/r2sh55wm.a56d3
Campaign II, Adobe.Photoshop.2025.rar, 24/9	19b6bb806978e687bc6a638343b8a1d0fbd93e543a7a6a6ace4a2e7d8d9a900b
Campaign II, Set-Up.msi, 24/9	270121041684eab38188e4999cc876057fd7057ec4255a63f8f66bd8103ae9f2
Campaign II, C&C, 24/9	hxxps://5.252.155[.]231/gateway/3jw9q65j.b3tit