- YouTube has removed 3,000 malicious videos disguised as ‘cracked software’
- They were used to spread malware and information stealers like Lumma.
- The network used a false positive commitment to gain trust.
Google has removed a network of 3,000 malicious YouTube videos used to spread malware.
Check Point Research says it discovered the ‘YouTube Ghost Network’, a ‘sophisticated and coordinated’ video campaign that took advantage of YouTube’s features to promote its own harmful content.
The videos were mainly disguised as ‘Game Hacks/Cheats’ and ‘Software Cracks/Piracy’, areas with large audiences that often encouraged the audience to download software. This type of “cracked” software is illegal and these downloads often contain malware.
Malware and information thieves
These videos were not necessarily spam in nature. Investigators identified a video targeting Adobe Photoshop with 293,000 views and 54 comments, as well as a video targeting FL Studio that had amassed 147,000 views; these would appear legitimate based on the large number of interactions.
Ghost Network distributed malware through these software downloads, specifically through the infamous Rhadamanthys, Lumma Stealer, and RedLine infostealers and malware strains.
This tactic of using malicious social media posts to trick users into downloading harmful software is far from unheard of; Reddit and WeTransfer pages were also discovered in early 2025 spreading the Lumma malware in a similar campaign.
“The network appears to be active at least since 2021, maintaining a constant production of malicious content each year,” Check Point wrote in its report. “In particular, by 2025, the creation of these types of videos has tripled, highlighting both the scalability and increasing effectiveness of this malware distribution campaign.”
One of the reasons this particular campaign was so powerful is the network of positive interactions it cultivated: it disarmed viewers and generated a high level of trust. One set of accounts were observed uploading videos, while another group liked/commented/subscribed to the accounts, and another group posted positive updates and messages.
In years past, high viewership and positive interactions indicated a safe or legitimate service, but now, with reports suggesting that up to 50% of all internet traffic comes from bots, viewers are being forced to be more careful than ever.
The best antivirus for all budgets
