Cybersecurity researchers expose ‘YouTube Network’ spreading malware via fake tutorials

A sophisticated, large-scale malware distribution network operating on YouTube has been dismantled following a detailed investigation by Check Point Research (CPR). The operation, dubbed the "YouTube Ghost Network," exploited the trust and engagement mechanisms of the video platform to lure millions of users into downloading information-stealing malware disguised as "cracked" software and video game cheats.

Check Point researchers successfully identified and reported over 3,000 malicious videos to Google, leading to their removal and significantly disrupting one of the most scalable malware distribution methods seen on a social platform to date.

Anatomy of the 'YouTube Ghost Network'

The YouTube Ghost Network was not a collection of random rogue channels, but a coordinated, modular system of fake and compromised YouTube accounts designed to appear highly legitimate and trustworthy. The network assigned specific roles to different account types to amplify the scam and maintain resilience:

Video Accounts: Uploaded deceptive tutorial-style videos promising free access to premium software (like Adobe Photoshop or Microsoft Office) or cheats for popular games (like Roblox). The descriptions contained links to password-protected archives hosted on popular file-sharing services (e.g., Dropbox, Google Drive).

• Post Accounts: Used YouTube’s Community Post feature to share the necessary download links and the password for the archives, further cementing the legitimacy of the operation.

• Interact Accounts: Posted positive, encouraging comments and likes to the malicious videos, artificially inflating their engagement and creating a false sense of trust among potential victims.

Victims who followed the on-screen instructions were led through a specific infection chain, starting with:

• Download: Users downloaded a password-protected compressed file from a link in the video description.

• Antivirus Disable: Users were explicitly instructed in the video to temporarily disable Windows Defender or other antivirus protection before installation, under the pretense that the "cracked" software would otherwise be flagged incorrectly.

• Infection: Once executed, the files installed sophisticated information-stealing malware, primarily Rhadamanthys and Lumma Stealer.

These infostealers are capable of covertly exfiltrating highly sensitive data, including login credentials, system data, and details related to cryptocurrency wallets.

A growing threat

Check Point Research tracked the network’s activity since at least 2021, noting that the volume of malicious video uploads had tripled in 2025. According to the researchers, the operation's resilience was enabled by its role-based structure, which allowed operators to quickly replace banned channels without disrupting the overall campaign.

"This campaign reflects a broader shift in cyber criminal strategy where adversaries are turning social credibility into a tool for infection," noted a CPR spokesperson. "By exploiting engagement mechanisms, these attacks succeed because they appear authentic, leveraging the user's trust in a major platform."

The joint effort between Check Point Research and Google led to the mass removal of the malicious content, protecting millions of potential victims and serving as a key example of how collaboration between cybersecurity firms and platform operators can effectively disrupt large-scale threats.