In a disturbing twist to the world’s most popular video platform, cybercriminals have quietly built a malware empire on YouTube. According to Check Point Research, a sprawling network of fake and hijacked YouTube accounts—dubbed the “YouTube Ghost Network”—has been spreading infostealing malware disguised as gaming cheats and cracked software. The investigation uncovered over 3,000 malicious videos, some with hundreds of thousands of views, exposing how easily digital trust can be weaponized.
A chilling new investigation by Check Point Research has uncovered a massive, coordinated cybercrime operation exploiting YouTube to distribute malware to unsuspecting users worldwide. Dubbed the “YouTube Ghost Network,” the campaign leveraged over 3,000 malicious videos disguised as software cracks and gaming hacks, generating hundreds of thousands of views, and likely thousands of infections.
What makes this discovery so concerning isn’t just the scale, but the ingenious abuse of YouTube’s own trust mechanisms. Compromised or fake accounts uploaded “how-to” videos, replied positively to each other’s content, and filled comment sections with fake testimonials, all to create the illusion of legitimacy. The result: a self-sustaining malware distribution ecosystem right under YouTube’s nose.
A Global Malware Network Hiding in Plain Sight
The YouTube Ghost Network represents a sophisticated form of social engineering as a service. It weaponizes YouTube’s credibility, using its likes, comments, and algorithmic boosts to lure users into downloading infected files.
Check Point Research reports that these malicious uploads date back to 2021, with 2025 seeing a threefold increase in activity. The content primarily targets users seeking “Game Cheats/Hacks” and “Software Cracks/Piracy” — two popular yet risky categories. Videos posing as cracked versions of Adobe Photoshop, FL Studio, and other creative tools reached nearly 300,000 views each.
Once victims follow the download link (often hosted on Dropbox, Google Drive, or MediaFire), they’re prompted to disable Windows Defender — a fatal step that clears the way for malware installation.
The Malware: Rhadamanthys, Lumma, and Beyond
Initially, the Ghost Network distributed the Lumma infostealer, a malware strain known for harvesting credentials, browser data, and crypto wallets. After Lumma’s disruption earlier this year, attackers shifted to the Rhadamanthys infostealer, a highly evasive tool designed for persistence and data theft.
Each infection chain follows a similar pattern:
- User clicks on a video promising a cracked or hacked tool.
- The description or pinned comment contains a password-protected download link.
- Victims disable antivirus tools as instructed.
- Malware executes silently, exfiltrating data to command-and-control (C2) servers.
Attackers update these payloads frequently — sometimes every three to four days — changing servers, encryption, and file hashes to stay ahead of antivirus detections.
Ghost Accounts and Role-Based Deception
The network operates through a role-based structure, mimicking legitimate user interactions:
- Video Accounts upload and update phishing videos.
- Post Accounts share “community posts” with updated links and passwords.
- Interact Accounts flood comment sections with fake praise and engagement.
This multi-layered setup ensures resilience — if one account is banned, others continue the operation seamlessly.
The Global & MEA Context
This isn’t just a Western problem. The Middle East and Africa (MEA) — with rapidly growing online creator communities and heavy use of pirated software — are increasingly attractive targets for such schemes. Cybercriminals exploit language diversity, limited digital literacy, and the popularity of free tools to extend their reach.
Organizations, schools, and small businesses that rely on unlicensed software downloads are particularly at risk, potentially exposing corporate credentials and sensitive information to remote threat actors.
10 Recommended Security Actions
To counter evolving content-based cyber threats, security teams and users should:
- Never download cracked or pirated software. These are the top malware delivery vehicles.
- Implement strict application whitelisting within organizations.
- Educate employees and creators through regular cybersecurity awareness programs.
- Deploy advanced endpoint protection capable of detecting infostealers and obfuscated archives.
- Monitor cloud storage traffic for suspicious downloads (Dropbox, MediaFire, Google Drive).
- Use DNS filtering and web controls to block known malicious domains.
- Regularly update antivirus and endpoint defenses to identify evolving variants.
- Enable multifactor authentication (MFA) across accounts to reduce credential theft impact.
- Partner with cybersecurity experts such as Saintynet Cybersecurity for advisory and incident response support.
- Report malicious videos and links directly to YouTube and CERT authorities.
Conclusion:
The YouTube Ghost Network illustrates a dangerous evolution in cybercrime, one that weaponizes trust and platform algorithms rather than brute-force exploits. By exploiting user curiosity and digital habits, attackers have turned social platforms into malware delivery engines.
Check Point’s discovery and reporting of over 3,000 malicious videos mark an important step forward, but the fight is far from over. As threat actors shift toward content-based distribution, the cybersecurity community must respond with cross-industry collaboration, user education, and proactive defense strategies.
