Researchers expose large-scale YouTube malware distribution network

Check Point researchers have uncovered, mapped and helped set back a stealthy, large-scale malware distribution operation on YouTube they dubbed the “YouTube Ghost Network.”

The network published more than 3,000 videos across compromised or fake channels, luring viewers with game cheats, cracked software, or pirated tools, but instead delivering malware or phishing pages. 

The YouTube Ghost Network

The YouTube Ghost Network is strikingly similar to the Stargazers Ghost Network, a previously uncovered network of fake or hijacked GitHub accounts that served as a malware and phishing link Distribution-as-a-Service.

In the Stargazers Ghost Network, different accounts filled different roles. Some accounts directed targets to malicious downloads, others served malware, and others still starred, forked, and subscribed to malicious repositories, in an obvious attempt to make the other accounts appear legitimate to potential victims.

Similarly, the YouTube Ghost Network consists of video accounts, post accounts, and interact accounts.

Video accounts, which are either hijacked or created by the malware peddlers, upload videos that promise something appealing, e.g., a free/cracked version of Adobe Photoshop, or game hacks for popular games like Roblox. The descriptions contain download links or direct viewers to password-protected archives on services like Dropbox, Google Drive or MediaFire, and they often tell users to temporarily disable Windows Defender before installing the downloaded cracked software.

Post accounts publish community posts with the same links and passwords, and interact accounts flood comment sections with fake endorsements, creating a false sense of trust.

A comment section with positive comments (Source: Check Point Research)

“While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns,” the researchers noted.

“Targeting users through Ghost Networks is analogous to casting nets across the web, users must approach and essentially infect themselves.”

A resilient malware distribution network

The YouTube Ghost Network is designed to keep a low profile and to be resilient.

Most of the accounts are compromised legitimate YouTube channels. Once a channel is banned or flagged, the network simply replaces it, and because the roles are divided across different accounts, the operation remains resilient even when parts are taken down. 

“Threat actors regularly updated links and payloads, enabling persistent infection chains even after partial removals,” the researchers noted.

“The technical sophistication of these campaigns is further evidenced by the use of password-protected archives, redundant hosting platforms, and frequent updates to both payloads and command-and-control (C2) infrastructure. These tactics are specifically designed to evade automated detection, reputation-based blocking, and manual review by both platform operators and security vendors.”

Most of the malware distributed through this network are infostealers, most notably the Lumma Stealer and Rhadamanthys.

The network has been active since at least 2021, but in 2025, the number of malicious videos has tripled.

The YouTube Ghost Network has been crippled after the researchers flagged and Google took down over 3,000 malicious videos, but the individuals behind this effort are unlikely to give up easily.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!