Researchers Expose YouTube Ghost Network Distributing Malware
Category:Threat Alerts / Threat Intelligence
Check Point researchers mapped a resilient malware distribution operation across YouTube that used more than 3,000 videos and a mix of hijacked and fake channels to deliver infostealers such as Lumma and Rhadamanthys. The network leveraged video content, community posts, and comment farms to create trust and direct viewers to password-protected archives hosted on cloud storage services. Payloads commonly instructed users to disable protections and install cracked software, which in turn executed stealer families that target browser and credential stores. Google removed thousands of videos following the takedown, but the distributed, role-based nature of the campaignvideo accounts, post accounts, and interact accountsmakes it resilient to partial removals. Defenders should focus on content-filtering, blocking known payload hosting domains, and educating users that cracked software lures often deliver malware.
CORTEX Protocol Intelligence Assessment
Business Impact: Medium consumers and corporate endpoints are exposed via platform content; credential theft can seed corporate compromise. Technical Context: Ghost networks use compromised legitimate accounts to evade reputation-based detection.
Strategic Intelligence Guidance
- Block payload hosting domains and restrict downloads of cracked software in enterprise environments.
- Educate user populations about platform-based malware lures and enforce safe download policies.
- Ensure endpoint protection can detect Lumma and Rhadamanthys families and associated IOCs.
- Coordinate with platform abuse teams to report and remove malicious networks.
Vendors
Threats
Targets
Intelligence Source: Researchers expose large-scale YouTube malware distribution network - Help Net Security | Oct 24, 2025