Monday , April 21 2025

Hackers Using YouTube as a Malware Distribution Platform Via Hacked YT Channel

Morphisec Threat Labs researchers have recently exposed a sneaky loader called “in2al5d p3in4er” (Invalid Printer) that delivers Aurora information stealer malware through YouTube videos.

Using an advanced anti-VM technique, the in2al5d p3in4er loader, built with Embarcadero RAD Studio, specifically targets endpoint workstations.

Late in 2022, Aurora appeared on the threat landscape for the first time, and it’s an information stealer written in Go programming language.

Samsung phone is saving your passwords in plain text

You copy a password from your manager, thinking it's safe. Meanwhile, your phone is saving it in plain text. Samsung...
Read More
Samsung phone is saving your passwords in plain text

UK Software Firm Exposed 8 million of Healthcare Worker Records

A data leak involving 8 million UK healthcare worker records, including IDs and financial information, was caused by a misconfigured...
Read More
UK Software Firm Exposed 8 million of Healthcare Worker Records

GitHub Enterprise Server Vulns Expose Risk of Code Execution

GitHub has released security updates for GitHub Enterprise Server to fix several vulnerabilities, including a high-severity flaw that could allow...
Read More
GitHub Enterprise Server Vulns Expose Risk of Code Execution

CVE-2025-2492
ASUS warns of critical auth bypass flaw in routers

Hackers can exploit a vulnerability in Asus routers to execute unauthorized functions. This serious issue, rated 9.2 out of 10,...
Read More
CVE-2025-2492  ASUS warns of critical auth bypass flaw in routers

16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia

According to Shadowserver Foundation around 17,000 Fortinet devices worldwide have been compromised using a new technique called "symlink". This number...
Read More
16,000+  Fortinet devices compromised with symlink backdoor, Mostly in Asia

Patch now! Critical Erlang/OTP SSH Vuln Allows UCE

A critical security flaw has been found in the Erlang/Open Telecom Platform (OTP) SSH implementation, allowing an attacker to run...
Read More
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE

CISA warns of increasing risk tied to Oracle legacy Cloud leak

On Wednesday, CISA alerted about increased breach risks due to the earlier compromise of legacy Oracle Cloud servers, emphasizing the...
Read More
CISA warns of increasing risk tied to Oracle legacy Cloud leak

CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App

Cisco issued a security advisory about a serious vulnerability in its Webex App that allows unauthenticated remote code execution (RCE)...
Read More
CVE-2025-20236  Cisco Patches Unauthenticated RCE Flaw in Webex App

Apple released emergency security updates for 2 zero-day vulns

On Wednesday, Apple released urgent operating system updates to address two security vulnerabilities that had already been exploited in highly...
Read More
Apple released emergency security updates for 2 zero-day vulns

Oracle Released Patched for 378 flaws for April 2025

On April 15, 2025, Oracle released a Critical Patch Update for 378 flaws for its products. The patch update covers...
Read More
Oracle Released Patched for 378 flaws for April 2025

Abusing YouTube as a Distribution Platform

Aurora is a commodity malware distributed through fake cracked software download sites and YouTube videos to other threat actors looking to use it.

YouTube has become an attractive distribution platform for threat actors looking to spread malware to access sensitive information.

Due to its mass popularity, YouTube has become one of the first choices for threat actors.

Hackers have found a new way to spread malware by hacking popular YouTube accounts and posting videos with malicious links or downloads through those compromised accounts or channels.

While the hackers also use optimized SEO tags to boost the visibility of videos in search results, which will increase the click-through rate (CTR).

Since threat actors are actively generating handsome revenue by stealing YouTube accounts for a fee, these services are now actively marketed by hackers in several underground forums and marketplaces.

Artificial intelligence (AI) is used by the service to generate videos, making it easier and quicker to create budget-backed content that looks convincing.

Victims who click on the links in YouTube video descriptions are taken to fake websites that trick them into downloading malware disguised as legitimate software.

To appear legitimate, these fake websites use the following things to create the illusion that they are real:-

  • Similar URLs
  • Similar logos
  • Similar branding

These decoy websites convince users to download applications containing malware and trick them into entering their sensitive or personal information.

Technical analysis

Morphisec asserted that this loader checks the vendor ID of a system’s graphics card and terminates itself if the value doesn’t match a list of approved IDs, which includes:-

  • AMD
  • Intel
  • NVIDIA

Using a technique called “process hollowing,” the loader decrypts the final payload and injects it into a genuine process called “sihost.exe.”

While injecting the final payload into the legitimate process, the loader dynamically decrypts all the required Windows API and uses the XOR key ‘in2al5d p3in4er‘ to decrypt the API names.

The loader employs Embarcadero RAD Studio to create executable files that can be used on various platforms, which helps it evade detection by security software.

Malware loaders like in2al5d p3in4er are the building blocks of an attack, providing an initial foothold between the attacker and the compromised system.

They serve as a crucial first stage, facilitating the delivery of more complex and damaging payloads.

The threat actors are responsible for in2al5d p3in4er malware are leveraging social engineering tactics and using them in combination with the malware to create a significant impact.

They target popular YouTube accounts to redirect the viewers to fake and legitimate-looking websites.

To prevent attacks from in2al5d p3in4er, educating employees about identifying social engineering schemes is crucial.

Source: Cybersecuritynews

Check Also

PwC

PwC exits more than a dozen countries in push to avoid scandals: FT reports

PwC has ceased operations in more than a dozen countries that its global bosses have …

Leave a Reply

Your email address will not be published. Required fields are marked *