YouTube Videos as Malware Traps

3,000 YouTube Videos as Malware Traps (“YouTube Ghost Network”)

Check Point uncovered a YouTube Ghost Network of compromised accounts pushing over 3,000 malicious videos since 2021, with volumes tripling in 2025. Content focuses on cracked software and Roblox cheats, luring users to malware via links (MediaFire/Drive/Google Sites/Blogger/Telegraph), often masked by shorteners. The operation uses role-based accounts (video, post, interact) to simulate legitimacy (views, likes, comments) and maintain continuity when bans occur. Families include Lumma, Rhadamanthys, StealC, RedLine, Phemedrone, and Node.js loaders. Google has removed most videos.

Like, comment, subscribe… to malware
A sprawling “YouTube Ghost Network” has pushed 3,000+ booby-trapped videos since 2021, re-skinning hijacked channels with slick tutorials for cracked software and Roblox cheats. Click the link in the description (or pinned comment), and you’ll fetch a stealer such as Lumma or Rhadamanthys—with plenty of loaders in the chain for good measure.

The gang uses a role-based setup: one account posts the videos, another spams community posts, a third likes and comments to make everything look wholesome. When YouTube swings the ban hammer, they swap in fresh accounts and carry on. Many links point to MediaFire/Dropbox/Drive or phishing pages on Google Sites/Blogger/Telegraph, often shortened to hide the destination.

Defensive tips:
• Treat “free” software and game cheats as radioactive.
• Use a reputation-aware web proxy and strip URL shorteners.
• Lock down endpoints against unsigned installers; monitor for stealer IOCs.
• If a channel suddenly changes theme or tone, assume it’s compromised.

Google has taken down most of the content, but copycats are plentiful. In short: if a video promises a miracle, expect malware. Influence can be faked; payloads can’t.