YouTube Ghost Network: The New GachiLoader Malware Hiding in Your Favorite Video Links
Ddos 
A massive network of compromised YouTube accounts is being weaponized to spread a sophisticated new threat, turning the popular video platform into a launchpad for data theft. A new investigation by Check Point Research has exposed a campaign dubbed the “YouTube Ghost Network,” where a new, heavily obfuscated malware loader named GachiLoader is lurking behind innocent-looking video links.
The campaign targets users looking for cracked software or game cheats, leveraging the implicit trust viewers place in established YouTube channels.
The “YouTube Ghost Network” isn’t a new phenomenon, but its latest evolution is particularly dangerous. Attackers hijack legitimate YouTube accounts to upload videos promoting “cracked” software, trainers, or cheats. These videos contain links to external file hosting platforms where the malware awaits.
“The threat actors behind the YouTube Ghost Network exploit the trust in the YouTube platform to trick victims into downloading malware,” the report states.
The star of this malicious show is GachiLoader, a new loader written in Node.js. Unlike typical binary malware, this script-based threat uses heavy obfuscation to hide its true intent.
Once executed, GachiLoader acts as a bridge, paving the way for the final payload: Rhadamanthys, a notorious information stealer designed to harvest credentials and sensitive data from infected machines.
What makes GachiLoader stand out to security researchers is not just its language, but its method. The malware deploys a second-stage component called Kidkadi, which employs a “novel technique for Portable Executable (PE) injection”.
Instead of using standard injection methods that security tools often flag, Kidkadi takes a devious route. “This technique loads a legitimate DLL and abuses Vectored Exception Handling to replace it on-the-fly with a malicious payload”. This sleight of hand allows the malware to execute under the radar of many endpoint protection systems.
“The threat actor behind GachiLoader demonstrated proficiency with Windows internals, coming up with a new variation of a known technique”.
Analyzing obfuscated Node.js malware is notoriously tedious. To combat this, Check Point Research developed a new tool to help analysts cut through the noise.
As the campaign continues to evolve, users are urged to be skeptical of “too good to be true” offers on YouTube, especially those promising free access to paid software.
“Users should be particularly cautious of offers for cracked software, cracks, trainers, or cheats, as these files are frequently laced with malware designed to steal data and/or compromise a device”.
While YouTube and security vendors work to dismantle these networks, the “Ghost Network” proves that on the internet, phantoms are persistent. “While both the security community and YouTube actively work to identify and remove such content, these attacks remain persistent”.
Donate