Dissecting YouTube's Malware Distribution Network

Oct. 24, 2025, 11:49 a.m.

Description

Check Point Research uncovered a sophisticated malware distribution campaign operating on YouTube, dubbed the YouTube Ghost Network. This network utilizes over 3,000 malicious videos to spread malware, primarily targeting users seeking game cheats and pirated software. The operation involves compromised accounts with specific roles: video uploaders, community posters, and interaction simulators. The network has been active since 2021, with a significant increase in activity in 2025. It mainly distributes infostealer malware, with Lumma and Rhadamanthys being prevalent. The campaign employs various tactics to evade detection, including password-protected archives and frequent updates to payloads and C2 infrastructure. This research highlights the evolving nature of malware distribution methods and the need for enhanced cybersecurity measures.

External References

https://research.checkpoint.com/2025/youtube-ghost-network
https://otx.alienvault.com/pulse/68fa32c7a4263ce24950835d
Tags
rhadamanthys
redline
youtube
compromised accounts
hijackloader
stealc
lumma
2025-10-23
0debug
ghost network

Date

  • Created: Oct. 23, 2025, 1:51 p.m.
  • Published: Oct. 23, 2025, 1:51 p.m.
  • Modified: Oct. 24, 2025, 11:49 a.m.

Attack Patterns

  • 0debug
  • Phemedrone
  • Lumma Stealer
  • Hijackloader
  • StealC
  • RedLine
  • Rhadamanthys