A massive cyber campaign called the “YouTube Ghost Network” has been exposed, revealing how cybercriminals used over 3,000 YouTube videos to spread dangerous malware. The operation cleverly abused YouTube’s popularity and user trust to deliver malicious software to unsuspecting users worldwide.
According to researchers at Check Point, this malicious network has been active since 2021 and has seen explosive growth this year, with the number of infected videos tripling in 2025. While Google has removed most of these harmful videos, the campaign highlights a growing and dangerous trend in cyberattacks that use trusted online platforms to trick users.
Hackers gained access to legitimate YouTube accounts and replaced their original videos with malicious content promoting pirated software, cracked tools, and Roblox game cheats. These videos appeared genuine and often racked up hundreds of thousands of views, ranging from 147,000 to nearly 300,000.
The main goal was to lure users into downloading malware hidden behind links in the video descriptions, pinned comments, or even shown directly in the videos. These links led to malware such as Rhadamanthys Stealer, Lumma Stealer, StealC, and RedLine Stealer, which can steal passwords, cryptocurrency wallets, browser data, and more.
Eli Smadja, Security Research Group Manager at Check Point, said:
“This operation took advantage of trust signals like views, likes, and comments to make malicious content appear safe. What looks like a helpful tutorial is actually a polished cyber trap.”
The YouTube Ghost Network’s strength lies in its social engineering tactics. By using legitimate accounts with real followers and engagement, the attackers made their malicious content seem trustworthy. The campaign used a role-based structure to stay resilient even after account bans.
Here’s how it worked:
-
Video Accounts – Uploaded tutorial or software-related videos containing fake download links or malware installers.
-
Post Accounts – Published community posts with links to external malware-hosting sites.
-
Interact Accounts – Posted positive comments and liked the malicious videos to boost credibility and visibility.
This structured approach made the operation difficult to detect and easy to rebuild. Even if YouTube removed some accounts, new ones could quickly replace them, keeping the network active.
The malicious download links often led to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on Google Sites, Blogger, and Telegraph. Many of these URLs were shortened to hide their true destination and make them look legitimate.
Two compromised YouTube channels used in this campaign included:
-
@Sound_Writer (9,690 subscribers): Used for over a year to spread fake cryptocurrency software containing Rhadamanthys Stealer.
-
@Afonesio1 (129,000 subscribers): Compromised in December 2024 and January 2025 to distribute a fake cracked version of Adobe Photoshop that deployed Hijack Loader, which then delivered Rhadamanthys malware.
Check Point researchers explained that the Ghost Network model has become increasingly popular among cybercriminals. These networks are designed to maintain operational continuity—even if one part of the operation is removed, others continue functioning.
“Ghost Networks” rely on hacked accounts, role-based coordination, and trust signals from social platforms to spread malware at scale. Unlike traditional malware campaigns, which rely on phishing emails or direct downloads, Ghost Networks turn legitimate platforms—like YouTube, GitHub, or even ad networks—into malware distribution ecosystems.
This strategy has also been seen in campaigns like the Stargazers Ghost Network, which misused GitHub repositories to spread malware under the guise of open-source projects.
The use of trusted platforms like YouTube for cyberattacks presents a serious challenge for both users and platform providers. People tend to believe that videos with high engagement are safe, but as this campaign shows, popularity metrics can be manipulated.
Attackers now use video tutorials, cracked software, and gaming cheats as bait—topics known to attract millions of views. Once a victim clicks the malicious link, the malware silently installs and begins stealing sensitive data.
Check Point warns that this marks a shift in cybercrime tactics, from traditional phishing methods to platform-based social deception.
“The ongoing evolution of malware distribution methods shows how adaptable and resourceful threat actors have become,” the company said. “Adversaries are using legitimate engagement tools and trusted accounts to run large-scale, persistent, and highly effective malware campaigns.”
To avoid falling victim to such schemes, cybersecurity experts recommend the following:
Avoid downloading pirated or cracked software—these are often laced with malware.
Check the legitimacy of links before clicking. Avoid shortened URLs or files from unknown sources.
Keep your antivirus and OS updated to detect known threats.
Be skeptical of too-good-to-be-true offers in YouTube tutorials or game cheat videos.
As social media and content platforms continue to evolve, so do the tactics of cybercriminals. The YouTube Ghost Network serves as a reminder that not all popular videos are safe—and that even trusted platforms can become powerful tools for spreading malware.
Interesting Article : Microsoft WSUS Under Attack: CVE-2025-59287 Exploited in the Wild
Pingback: CISA Warns of Active Exploits Targeting Dassault and XWiki Systems