- A network of YouTube accounts has been spreading Malware by sharing videos that link to harmful downloads.
- The network, active since 2021 and called the YouTube Ghost Network, has published over 3,000 malicious videos.
- These videos often promote pirated software and game cheats to attract viewers and spread malware known as stealers.
- The network uses a role-based structure with compromised accounts performing specific tasks to maintain operations even if some accounts are removed.
- This method exploits YouTube’s engagement features like views, likes, comments, and posts to gain trust and distribute malware effectively.
A group of YouTube accounts has been identified as part of a malicious network that publishes and promotes videos leading to malware downloads. This activity, ongoing since 2021, uses the popular video platform to distribute harmful software by exploiting user trust.
Known as the YouTube Ghost Network by Check Point, the group has uploaded more than 3,000 malicious videos. The number of these videos has tripled since early 2025. Many affected videos have been taken down by Google, following the discovery.
The network hijacks YouTube accounts and replaces their content with videos centered on pirated applications and Roblox game cheats. These videos entice users with thousands of views—ranging from about 147,000 to 293,000—into downloading stealer malware, which is designed to steal information from infected devices.
“This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe,” stated Eli Smadja, security research group manager at Check Point. “What looks like a helpful tutorial can actually be a polished cyber trap. The scale, modularity, and sophistication of this network make it a blueprint for how threat actors now weaponize engagement tools to spread malware.”
These tactics are part of a wider trend where attackers use legitimate platforms for harmful purposes. The network relies on compromised accounts assigned distinct roles: video-accounts upload phishing videos, post-accounts share community messages, and interact-accounts increase credibility by liking and commenting. This role-based system helps keep the network operational even when some accounts are banned.
“The majority of the network consists of compromised YouTube accounts, which, once added, are assigned specific operational roles. This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation,” explained security researcher Antonis Terefos.
Links found in video descriptions and comments often redirect users to cloud storage services or phishing pages. These links frequently use URL shorteners to hide the true destination. Malware distributed includes variants such as Lumma Stealer, Rhadamanthys Stealer, and RedLine Stealer.
Specific compromised channels include @Sound_Writer with nearly 9,700 subscribers and @Afonesio1 with 129,000 subscribers. The latter was used to advertise cracked Adobe Photoshop installs that delivered malware loaders.
Check Point noted, “The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses. Adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Oracle Shares Set to Enter $1 Trillion Market Cap Alongside Nvidia and Apple
- Galaxy Digital Stock Surges, Retail Sentiment “Extremely Bullish”
- USD.AI Bridges DeFi and AI with GPU-Backed Stablecoin Loans
- GlassWorm Worm Targets VS Code Extensions in Major Supply Chain Attack
- BRICS Experiences Unprecedented Gold Boom with India and China Discovering Record-Breaking Mines
