Vulnerability on YouTube: This is how malware is distributed on a large scale

In recent years, YouTube has become a prime target for cybercriminalsThese cybercriminals have found in the platform a perfect showcase to reach millions of users with increasingly sophisticated malware campaigns. What were once isolated cases of videos with dubious downloads have now transformed into organized networks that abuse legitimate channels, recommendation algorithms, and trust signals such as likes and positive comments.

At the same time, Content creators and viewers alike have found themselves trapped in a scenario where the appearance of legitimacy no longer guarantees safetyAccount hijacking, extortion of YouTubers, infostealer Trojans, data miners cryptocurrencies, Hidden and remote access tools are just some of the pieces of a rapidly evolving criminal ecosystem that uses YouTube as one of its preferred vectors.

YouTube Ghost Network: a massive network of compromised channels

One of the most striking operations recently uncovered is the one known as YouTube Ghost Network, a massive network of compromised YouTube accounts used to spread malware through videos that appear completely normal. This campaign, thoroughly investigated by Check Point Research, has been active since 2021 and has been increasing in intensity. Thereto the point that its volume of activity has tripled during 2025.

According to the researchers' analysis, The network went on to publish more than 3.000 malicious videos.Most of them are presented as tutorials, guides, or software demonstrations offering "free" downloads or "cracked" versions. Google It has confirmed that it has removed most of these videos after receiving the reports, but the mere fact that such a campaign has lasted so long illustrates how well the attackers have learned to exploit the platform's trust.

The main trick is based on Leverage YouTube's own reputation signals: number of views, likes, complimentary comments, and professional channel appearanceThe result is that, to the average user, these videos seem just as reliable (or even more so) than any legitimate tutorial, when in reality they are carefully designed traps to sneak malware onto the victim's computer.

As Eli Smadja, head of the research group at Check Point, summarized, What many users perceive as a simple help video can turn into a perfectly orchestrated cyber trapThat is the essence of this new wave of campaigns: malware is no longer presented in a crude way, but embedded in seemingly useful content.

How YouTube's Ghost Network works and what makes it so dangerous

The so-called Ghost Network is not limited to uploading malicious videos from a handful of accounts. It functions as an organized and modular criminal structurewhere each account has a defined role and the campaign continues to function even if part of the infrastructure is dismantled by YouTube.

The researchers have described a very clear division of tasks, in which The accounts are assigned specific functions to keep the operation running.:

• Video accounts: These are the channels responsible for uploading the "main" videos. They promote pirated commercial software (for example, Adobe Photoshop o Microsoft OfficeThese are supposed cracks, cheats for games like Roblox, or cryptocurrency-related tools. The download links, which actually lead to malware, are added to the description or pinned comments.
• Post-accounts: These accounts focus on Post messages in the YouTube community tab, including external links that point to trap pages, file hosting services, or sites with chained redirects.
• Interact-accounts: Another group of profiles is dedicated almost exclusively to Like, subscribe, and leave positive comments on the videos on the network, with the aim of artificially inflating their credibility and improving their position in the platform's recommendations.

Thanks to this role-based strategy, The network is capable of withstanding moderation actions.When YouTube removes some channels or takes down certain videos, others quickly take their place, maintaining the flow of new posts and malicious links.

The links shared in these campaigns do not point directly to a suspicious executable. They typically redirect to services that users perceive as trustworthy, such as MediaFire, Dropbox, or Google Drive.In addition to sites hosted on Google Sites, Blogger, or Telegraph, many victims often encounter URL shorteners before reaching the final file. These shorteners obscure the true path, making automated detection more difficult. Therefore, it's helpful to know... How to detect the file type.

At a technical level, The variety of threats distributed through the Ghost Network is extensiveAmong the prominent names are Lumma Stealer, Rhadamanthys Stealer, StealC, RedLine, Phemedrone, and various Node.js-based loaders. Most of these families are infostealers specializing in stealing login credentials, cookies, cryptocurrency wallet data, and other sensitive information stored in the browser.

Specific channels used to spread Trojans and infostealers

Beyond global statistics, research has allowed us to identify Specific cases of very popular channels that were hijacked and converted into malware distribution toolsThis reinforces the idea that attackers prefer to leverage accounts with an established subscriber base, rather than starting from scratch.

An example is the channel @Sound_Writer, with nearly 9.700 subscribersThe account was compromised for over a year. During that time, videos related to cryptocurrencies were uploaded, ostensibly offering tools or software for investing in or managing digital assets. In reality, what the user downloaded was the Rhadamanthys stealer, capable of stealing credentials and financial data.

Another particularly striking case was that of the canal @Afonesio1, with approximately 129.000 subscribersIn late 2024 and early 2025, a video appeared on this channel that supposedly offered a pirated version of Adobe Photoshop. That content garnered over 291.000 views and more than 1.000 likes, demonstrating how an established channel can generate enormous traction even when it has been compromised without its followers realizing it.

On this last case, The downloaded file was a fake installer that first deployed a loader (Hijack Loader) and then Rhadamanthys itself.Once inside the system, the malware began extracting credentials, cryptocurrency data, and other information useful to the attackers, sending it to remote command and control servers.

Along with RedLine and other families who have been featured in similar campaigns, These infostealers have become a key element of modern cybercrime.because they feed forums and dark web markets where packages of stolen credentials are sold ready to be reused in fraud, account hijacking and other attacks.

YouTube account theft: phishing, infostealers, and extortion

In order to use legitimate channels as a megaphone for their campaigns, attackers first need seize control of content creators' accountsVarious strategies come into play here, although phishing remains one of the preferred methods due to its effectiveness.

ESET research has detailed how Cybercriminals send fraudulent emails to YouTubers, simulating sponsorship or commercial collaboration proposals.In these messages, the alleged advertiser attaches a link (usually to Dropbox or another cloud service) that supposedly contains the contract, terms and conditions, or advertising campaign materials.

Upon opening that file, the victim does not find a simple PDFbut with infostealer-type malware. The malicious code includes scripts capable of deleting browser cookies and forcing the user to re-enter their credentials.At that moment, the login credentials and, in many cases, the two-factor authentication codes, are secretly sent to the attacker's server.

Once they have captured the credentials, The criminals take full control of the Google account associated with the YouTube channelFrom there they can change recovery emails, passwords, revoke legitimate access and, in many cases, completely delete the creator's original content to replace it with videos designed solely to distribute malware.

The consequences for the victims can be devastating: Channel closure, loss of monetization, a sharp drop in followers, and even reputational damageThis is because users may believe the creator posted the malicious links themselves. Regaining control of the account is not always immediate, and in some cases, restoring all the lost content or trust is impossible.

Extortion of YouTubers and use of cryptocurrency miners

In addition to direct account theft, other incidents have been detected even more twisted campaigns in which cybercriminals extort content creators so that they themselves spread the malware. In these operations, analyzed by Kaspersky's GReAT team, the lever of pressure is copyright claims.

The scheme works like this: The attackers send two fraudulent copyright claims against a YouTuber's channelAs many creators know, accumulating three strikes of this type can lead to the permanent closure of their channel. Taking advantage of this fear, cybercriminals contact the victim and threaten to file a third strike if they don't cooperate.

Next, they offer a supposed “agreement” which consists of the creator Promote on your channel a tool or link provided by the attackersWhat the YouTuber often ignores is that this program is modified to install SilentCryptoMiner, a cryptocurrency mining malware that consumes resources from users' computers without their knowledge.

Kaspersky telemetry data indicates that, in one of these campaigns, More than 2.000 users ended up infected after downloading the manipulated tool.One of the compromised channels, with approximately 60.000 subscribers, posted several videos containing malicious links that garnered over 400.000 views. The file hosted on a fraudulent website registered more than 40.000 downloads.

To camouflage themselves better, The attackers started with legitimate software designed to evade Deep Packet Inspection (DPIand they modified itThe malicious version retained the original functionality, so the tool appeared to do exactly what it promised, but at the same time, it installed the cryptocurrency miner in the background. The result is a significant decrease in device performance and an increase in power consumption.

When security solutions detect and remove malicious components, The rigged installer even goes so far as to recommend that the user disable their antivirus software.Displaying messages such as: “File not found. Disable all antivirus software and download the file again, it will help!” This tactic aims to further weaken system protection and increase the infection rate.

DCRat and other campaigns targeting gamers and anime fans

Within the universe of threats linked to YouTube, it has also been observed a very clear focus on gamers and anime communitiesThese groups, especially active on the platform, are an ideal target for everything related to cheats, mods, game cracks, and free software.

Kaspersky investigations have uncovered a campaign in which The attackers upload videos to fake or stolen accounts promising cracks or cheats for video gamesThese links often focus on popular titles or anime-style content. The download links provided in the description don't lead to the promised software, but rather to the DCRat (DarkCrystal RAT) Trojan.

DCRat is a RAT (Remote Access Trojan) distributed under the Malware-as-a-Service (MaaS) modelThis means that any cybercriminal with enough money can rent its use and take advantage of its features, without needing to be an expert in cybersecurity. programmingIts capabilities include complete remote control of equipment. Windows, keystroke logging, webcam access and the ability to install over thirty additional add-ons.

This Trojan horse, discovered in 2018, It has been used in this new campaign since the beginning of 2025The victims detected so far are concentrated mainly in China, Belarus, Kazakhstan and Russia, and researchers have noted that the addresses of the command and control servers contain Russian slang linked to anime fan communities.

For users who consume this type of content, the combination of attractive aesthetics, promises of advantages in games, and a seemingly legitimate channel makes it the level of suspicion drops to a minimumHence the importance of maintaining a certain critical spirit even when the video perfectly matches our interests and tastes.

Mass campaigns with RedLine, Racoon Stealer and other infostealers

Beyond specific cases, various investigations have confirmed that Malware campaigns on YouTube can escalate very quickly This occurs when account theft, automation, and mass video uploads are combined. For example, an analysis published in 2021 described how attackers created 81 new channels with approximately 100 videos in just 20 minutes.

Then, Two well-known infostealers were being distributed: RedLine Stealer and Racoon Stealer.Each one spread through different sets of videos and links, but with the same logic: tutorials on cryptocurrencies, mining, program cracks, "free" licenses and guides to use certain tools, always accompanied by a download link in the description.

The links, depending on the malware family, could be Shortened URLs that redirected to file hosting services (in the case of RedLine) or direct links to domains like “taplink”, where the Racoon Stealer binary was hosted. The videos, to the user, appeared identical to any other tutorial of the same style, which explained the high number of downloads.

Once installed, These Trojans act silently and persistentlycollecting browser login passwords, bank details, cookies, information stored in email clients, VPNFTP and other programs; they can even take screenshots and execute remote commands. In the specific case of RedLine, various reports have indicated that a large portion of the credentials circulating on the dark web have been stolen precisely through this malware.

Google, for its part, He has acknowledged on several occasions that he is aware of these campaigns and is working to block malicious activity.Technical measures include closing channels, automated detection of suspicious patterns, and reviewing external links. However, the speed at which new accounts are created and videos are uploaded makes the battle constant.

Abuse of legitimate platforms and exploitation of social trust

One common element in all these campaigns is that They no longer rely solely on shady websites or obviously suspicious email attachmentsbut on perfectly legitimate platforms: YouTube, Google Drive, Dropbox, MediaFire, Blogger, Google Sites, GitHub or similar services.

This change is part of a broader trend in which Threat actors are professionalizing their use of social media and trusted services to camouflage their operationsInstead of trying to lure the victim to an unknown, shoddy-looking domain, they rely on channels with thousands of subscribers, inflated popularity metrics, and recommendation systems that do the rest of the work.

Check Point and other security firms emphasize that Manipulating trust on the platform marks a new frontier in social engineeringIt is no longer enough to evaluate whether an email has spelling mistakes or if a website seems "weird"; now we must also question very well-produced videos, with hundreds of positive comments, when what they offer sounds too good to be true (such as cracks, free licenses or shortcuts to bypass restrictions).

In this context, YouTube's social interaction mechanisms (likes, comments, community posts, subscriptions) They become tools that attackers can exploit to their advantage. Fake or compromised accounts interact with each other to create an appearance of normalcy, causing the platform's algorithms to recommend even more of that content to new users.

At the same time, the use of services such as Google Drive, MediaFire or GitHub to host the files This adds another layer of trust, as many users assume that if the link points to a well-known service, it can't be that dangerous. This, combined with URL shorteners and redirects, complicates the task of security solutions in blocking the infection chain in time.

Protection measures for users and content creators

Given this scenario, both those who consume videos and those who create them need Strengthen your safety habits to reduce the risk of falling into these types of traps.It's not just about having an antivirus installed, but about combining several layers of technical protection and common sense.

For users who watch videos on YouTube, some basic but effective recommendations are:

• Do not download software, cracks, games, or tools from links in YouTube descriptions or comments.especially if they promise pirated versions, free licenses, or suspiciously generous perks.
• Verify the authenticity of the channel: review the video history, the channel creation date, whether there are sudden changes in theme, and whether the comments seem natural or forced.
• Keep your operating system and applications always up to datebecause many vulnerabilities exploited by malware are fixed in the latest versions.
• Use a reliable security solution capable of detecting infostealers, RATs, and cryptocurrency minersand never disable it just because an installer asks you to.
• Be alert for unusual device behavior, such as overheating, performance drops, high CPU usage, or excessive battery consumption, which may indicate the presence of a miner or other type of malware.

For their part, content creators should adopt an even stricter stance, since Their channels have become a prime target for attackersSome key good practices are:

• Be extremely cautious with emails about “sponsorships” or collaborations that include attachments or external links to download alleged contracts or materials.
• Enable two-step authentication (2FA) on your Google account associated with the channel, preferably using authentication applications or physical security keys.
• Regularly review login activity and devices connected to the accountand revoke any unknown access.
• Use long, unique passwords managed with a password manageravoiding reusing keys across different services.
• If you suspect a compromise, follow Google's support guidelines.: recover the account, change the password, review the permissions, revert unwanted changes to the channel and, if it has been closed, file an official appeal.

Google, moreover, It offers a dedicated support channel for those who are part of the YouTube Partner Program.This is especially useful when it comes to recovering a channel with a lot of activity or associated revenue.

This entire network of campaigns demonstrates that The combination of social engineering, abuse of trusted platforms, and modular malware has taken threat distribution on YouTube to a new level.From networks like the YouTube Ghost Network and the Ghost Network, to extortion schemes with fake copyright claims, covert cryptocurrency miners, and infostealers like RedLine, Racoon, Lumma, or Rhadamanthys, the current scenario forces users and creators to move with much more caution, relying on updated security tools, responsible digital habits, and a healthy distrust of any video that promises miraculous downloads or shortcuts that seem too good to be true.

Related article:

New YouTube scam: fraudulent links distribute malware to content creators

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.