Check Point Research has uncovered the YouTube Ghost Network, a coordinated and sophisticated malware distribution campaign exploiting YouTube’s trust mechanisms.
Over 3,000 malicious videos were linked to this operation, which systematically leveraged compromised accounts, fake engagement, and platform features to spread infostealers such as Lumma and Rhadamanthys.
The campaign, active since 2021, intensified in 2025, showing a threefold increase in malicious uploads compared to previous years.
The Ghost Network’s Role-Based Operation
The YouTube Ghost Network employs a structured, role-based model to maintain operational stealth and continuity. Compromised accounts are divided into three leading roles: video uploaders, post publishers, and interaction boosters.
Video accounts are responsible for hosting phishing videos promoting fake software cracks or game cheats, often instructing users to disable Windows Defender before installation.
Post accounts publish “community updates” containing links to malicious archives hosted on MediaFire, Dropbox, or Google Drive. In contrast, interaction accounts flood videos with fake positive comments and likes to build trust and legitimacy.
Together, these roles form a resilient distribution ecosystem that persists even after account takedowns, allowing attackers to replace banned nodes without disrupting the overall campaign.
The video descriptions typically share download links and passwords to access password-protected archives, a technique that prevents antivirus systems from scanning the contents.
In more sophisticated cases, attackers embed the links within pinned comments or reveal them during the video walkthrough, making detection even harder. These archives often contain malware disguised as pirated applications or free tools, with instructions that lure victims into self-infection.
Lumma’s Disruption and Rhadamanthys’ Rise
Between 2024 and early 2025, Lumma was the Ghost Network’s most common payload, stealing credentials and browser data from infected systems.
Following its disruption earlier in 2025, operators pivoted rapidly to the Rhadamanthys infostealer, using rotating command-and-control (C2) servers to avoid detection.
One such campaign hijacked the YouTube channel @Sound_Writer, which posted cryptocurrency-themed videos linked to phishing pages hosted on Google Sites.
These pages delivered Rhadamanthys payloads that connected to C2 endpoints such as 94.74.164[.]157:8888 and 178[.]16.53[.]236:6343.
Another campaign compromised the popular channel @Afonesio1 with 129,000 subscribers to distribute fake Adobe Photoshop installers embedded with HijackLoader and Rhadamanthys.
The malware samples frequently changed, with new versions appearing every few days and low detection rates across antivirus engines.
Growing Reach and Threat Implications
Analysis of over 3,000 malicious videos revealed a clear targeting pattern, focusing on high-traffic categories like “Game Hacks/Cheats” and “Software Cracks/Piracy.”
One malicious Photoshop “crack” video gained 293,000 views and 54 comments, while an FL Studio variant reached 147,000 views. The campaign’s rapid growth in 2025 demonstrates attackers’ adaptability and the increasing use of legitimate platforms for malware delivery.
Check Point’s takedown of these videos significantly reduced the active threat. Still, researchers emphasize that coordinated efforts between platform operators, security vendors, and law enforcement are crucial to combating future Ghost Network operations.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Ghost Malware Network - Check Point Research has uncovered the YouTube Ghost Network, a coordinated and sophisticated malware distribution.){kind=link}