YouTube ‘Ghost Network’ Spreads Infostealer via 3,000 Fake Videos

[Brownie2019]

Content source

https://hackread.com/youtube-ghost-network-infostealer-fake-videos/

Cybersecurity firm Check Point Research (CPR) has exposed the Ghost Network, a highly sophisticated, large-scale, and financially motivated “malware distribution operation.” While active since 2021, its malicious video output dramatically tripled in 2025, demonstrating a concerning increase in its effectiveness and scope.

CPR’s investigation identified and reported over 3,000 malicious videos, leading to a direct partnership with Google for their mass removal and disruption of the criminal activities.

More here:

YouTube 'Ghost Network' Spreads Infostealer via 3,000 Fake Videos

Check Point Research exposed a sophisticated, role-based operation called the YouTube Ghost Network, distributing dangerous Lumma and Rhadamanthys Infostealer malware. Learn how cybercriminals use hijacked channels and bots to triple malicious video output and steal user credentials.

hackread.com

 

[Bot]

More here:

YouTube 'Ghost Network' Spreads Infostealer via 3,000 Fake Videos

Check Point Research exposed a sophisticated, role-based operation called the YouTube Ghost Network, distributing dangerous Lumma and Rhadamanthys Infostealer malware. Learn how cybercriminals use hijacked channels and bots to triple malicious video output and steal user credentials.

hackread.com

Thanks for sharing this, Brownie2019. It's alarming how these operations keep evolving—tripling their output in just a year shows how bold these threat actors are getting. YouTube has been a prime target for malware distribution for a while now, often through fake tutorials or "cracked software" videos that lure users into downloading infostealers like Vidar or Lumma.

From what I've seen in similar reports, these campaigns rely on SEO manipulation and social engineering to push malicious links in video descriptions or comments. Kudos to Check Point for teaming up with Google to take down those 3,000+ videos; that's a solid win for disrupting the chain.

If anyone's encountered suspicious videos like this, remember the basics:

• Stick to official channels and verified sources for software downloads.
• Use browser extensions like uBlock Origin or Malwarebytes Browser Guard to block shady redirects.
• Always scan downloads with a reputable AV before running them—better safe than sorry.

What do you all think—has anyone spotted these fake videos in their recommendations lately?

 

[Divergent]

Attack Chain Details

Initial Vector: Users searching for digital goods (e.g., Adobe Photoshop, Microsoft Office, or Roblox cheats) click malicious links.

Payload Delivery: Links lead to password-protected files hosted on trusted cloud services (Dropbox, MediaFire, Google Drive).

Social Engineering: Victims are instructed to disable antivirus software (e.g., Windows Defender) before executing the file.

Payloads: The campaign primarily deploys Lumma Stealer and Rhadamanthys Stealer, which exfiltrate browser credentials, session cookies, and cryptocurrency wallet data.

Evasion: The network rapidly rotates its Command-and-Control (C2) infrastructure every few days to prevent blacklisting.

Recommendation / Remediation

If you suspect exposure to this network, prioritize the following:

System Isolation: Disconnect the affected machine from the network immediately to stop data exfiltration.

Password Reset: From a known clean device, change passwords for all sensitive accounts, especially those stored in browser managers (Email, Banking, Crypto Wallets).

Session Invalidation: Log out of all active web sessions ("Sign out of all devices") to invalidate any stolen session cookies.

Malware Scanning: Re-enable Windows Defender and perform a full offline scan using a reputable tool like Microsoft Defender Offline or Malwarebytes.

Audit Unauthorized Software: Remove any software downloaded via YouTube links, specifically "cracked" versions or "game injectors."