YouTube Ghost Network Exposed: Coordinated Channels Spread Infostealer Malware via Game/Software Cracks

Check Point Research (CPR) has uncovered a sophisticated, large-scale malware distribution campaign on YouTube, dubbed the “YouTube Ghost Network.” This coordinated network of fake and compromised accounts has been systematically weaponizing the world’s largest video platform to distribute information-stealing malware and manipulate viewer trust.

The newly identified YouTube Ghost Network is described as “a sophisticated and coordinated collection of malicious accounts operating on YouTube” that leverages the platform’s own engagement tools to promote and deliver malware.

According to Check Point, the campaign has been active since 2021, but its activity has sharply escalated in 2025, with “the creation of such videos tripling compared to previous years.”

The researchers said they identified and reported over 3,000 malicious videos, most of which have since been removed by YouTube. These videos primarily targeted high-interest categories such as “Game Hacks/Cheats” and “Software Cracks/Piracy”, which are notorious magnets for unsuspecting users seeking free or modified software.

“The most viewed malicious video in our dataset targets Adobe Photoshop, with 293,000 views and 54 comments, while the second most viewed targets FL Studio, with 147,000 views,” CPR noted, illustrating the vast reach of the campaign.

CPR defines a Ghost Network as “a collection of fake or ‘ghost’ accounts operating as a service, manipulating platform engagement mechanisms to disguise malicious activities as benign and enable large-scale malware distribution.”

The network’s structure is modular and role-based, designed for persistence and scalability even after takedowns.

• Video accounts upload the malicious content and provide links in descriptions or pinned comments.
• Post accounts share download links and passwords via YouTube community posts.
• Interact accounts add fake engagement — likes, replies, and positive comments — to make malicious content appear trustworthy.

This coordinated structure enables seamless replacement of banned accounts and continuous distribution. “Banned accounts can be rapidly replaced without disrupting the overall operation,” CPR explains.

Attackers often embed links to file-sharing platforms such as MediaFire, Dropbox, or Google Drive, where the payloads are stored in password-protected archives, frequently accompanied by instructions to “temporarily disable Windows Defender” — a classic lure to disarm basic security protections.

Check Point’s year-long monitoring revealed that the Ghost Network primarily serves as a delivery channel for infostealers — malware designed to exfiltrate credentials, crypto wallets, and browser data.

“From 2024 until the disruption of Lumma between March and May 2025, Lumma was the most frequently distributed malware. Following this disruption, we observed a shift in threat actor tactics, with Rhadamanthys becoming the preferred infostealer,” CPR reports.

Other malware families delivered through the campaign include StealC, RedLine, and Phemedrone variants, alongside NodeJS-based loaders and downloaders.

In one documented campaign, a compromised YouTube channel with 9,690 subscribers uploaded videos claiming to offer cryptocurrency software. The linked phishing page, hosted on Google Sites, contained instructions encouraging viewers to “turn off Windows Defender temporarily” before executing the payload — a modified Rhadamanthys infostealer v0.9.2 communicating with a command-and-control server at 94.74.164[.]157:8888/gateway/6xomjoww.1hj7n.

A separate campaign compromised a verified YouTube channel with over 129,000 subscribers, using it to distribute cracked versions of Adobe Premiere Pro and Photoshop. One video promoting Adobe Photoshop 2025 received 291,000 views and 54 positive comments, while the associated community post gained 1,200 likes — all bolstering credibility for an infected MSI installer hosted on Dropbox.

The malicious installer delivered HijackLoader, which then deployed the Rhadamanthys infostealer, contacting multiple rotating C2 endpoints. Each update replaced previous links and servers every few days, “undermining reputation-based detection mechanisms.”

By analyzing over 3,000 video titles, Check Point identified two primary victim demographics: gamers and creative professionals.

• Game-related lures (e.g., Roblox, Fortnite cheats) target a massive global audience — Roblox alone has over 380 million monthly active users.
• Software-related lures target digital creators searching for cracked or pirated tools like Adobe Photoshop, Lightroom, FL Studio, and CorelDRAW.

While game-hack videos were more numerous, the cracked software videos drove significantly higher view counts, indicating a more effective infection vector.

Check Point warns that the YouTube Ghost Network represents a new paradigm in malware distribution — one that blends social engineering, automation, and platform manipulation.

“These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns,” the researchers conclude.

This method allows attackers to operate under the cover of legitimate user activity, making traditional detection methods — like domain reputation or email filtering — ineffective.

Related Posts:

• Ghost Plugin Plagues Over a Million Terminals, Hijacking Search Results and User Data
• Ghost Tap: NFC Fraud Surge Linked to Chinese Cybercriminal Groups
• “Ghost Tap” Emerges: Cybercriminals Exploit NFC Relay for Contactless Cash-Outs
• Critical Vulnerability Discovered in Popular WordPress Security Plugin WP Ghost
• YouTube Unveils AI-Powered Creator Tools to Revolutionize Content Creation