A report reveals that over 3,000 malicious YouTube videos were used to spread infostealer malware. Check Point Research has named a major malware operation the “YouTube Ghost Network.” It uses fake YouTube accounts to spread infostealer malware like Rhadamanthys and Lumma.

Game hacks and cheats and software cracks and piracy were the most targeted categories. “It is important to emphasize that the use of cracked software is illegal and that such versions frequently contain hidden malware,” Check Point said.
The top malicious videos were about Adobe Photoshop, with 293,000 views, and FL Studio, with 147,000 views.
Compromised YouTube Accounts Used to Spread Infostealer Malware:
Many of the compromised YouTube accounts are used to post harmful videos and interact with them to make the accounts seem trustworthy.
“This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation,” the report said.
The most targeted game from the “Game Hacks/Cheats” category was Roblox, with 380 million monthly active users and about 111.8 million daily active users. In the “Software Cracks/Piracy” category, Adobe products are the main targets, led by Photoshop and Lightroom.
Video posts often contain external links that lead to file-sharing services like MediaFire, Dropbox, or Google Drive, or to phishing sites on platforms like Google Sites, Blogspot, or Telegraph (telegra.ph). These pages often link to malicious software and use shortened URLs to disguise the actual destination.
Videos typically include a download link and a shared password. Instructions usually recommend temporarily disabling Windows Defender to prevent “false alerts.”
“Don’t worry – the archive is clean,” assures one post after telling potential victims to temporarily disable Windows Defender. “Defender may trigger a false alert due to the way Setup.exe works with installations.”
Most malware cases involve infostealers. Lumma was the most widely distributed before it was disrupted, followed by Rhadamanthys, with StealC and Redline also being noted.
Compromised YouTube Accounts Distributed Malicious Pirated Photoshop
The report detailed two compromised YouTube channels and accounts.
The YouTube channel @Sound_Writer, with 9,690 subscribers, published videos that were mainly focused on cryptocurrency software and gaming. “Our analysis indicates that this account has been compromised for over a year, as evidenced by the appearance of malicious videos that differ significantly from the channel’s previous content,” Check Point said.
The @Afonesio1 account, which has about 129,000 subscribers, was hacked between December 3, 2024, and January 5, 2025, and has posted four videos to spread malware.
One of the account’s most viewed videos, with 291,155 views and 54 positive comments, “was used to lure unsuspecting viewers into downloading and executing a cracked version of Adobe Photoshop.”
The video description included a community message link and the password for a protected file. Check Point noted the post got around 1,200 likes and many positive comments about the software. The shortened link led users to Dropbox to download the file.
The archive had a file named Adobe.Photoshop.2024.v25.1.0.120.exe, a cracked version of Adobe Photoshop. The report notes, “It’s unclear if the positive reviews come from actual users who got infected or from fake accounts using AI to promote the malware.”
“The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” Check Point concluded. “While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.”
InfoSecBulletin Cybersecurity for mankind
