- YouTube has removed 3,000 malicious videos disguised as ‘cracked software’
- These were used to spread malware and info stealers like Lumma
- The network used false positive engagement to gain trust
Google has taken down a 3,000-strong network of malicious YouTube videos used to spread malware.
Check Point Research says it has discovered the “YouTube Ghost Network” – a “sophisticated and coordinated” campaign of videos that leveraged YouTube’s features to promote its own malicious content.
The videos were primarily disguised as ‘Game Hack/Cheat’ and ‘Software Cracks/Piracy’ – areas with high viewership that often encouraged audiences to download software. Such ‘cracked’ software is illegal and these downloads often contain malware.
Malware and info thieves
These videos were not necessarily spammy. Researchers identified a video targeting Adobe Photoshop with 293,000 views and 54 comments, as well as a video targeting FL Studio that had amassed 147,000 views – these would appear legitimate based on the large number of interactions.
The Ghost Network distributed malware through these software downloads – specifically through the notorious Rhadamanthys, Lumma stealer and RedLine infostealers and malware strains.
This tactic of using malicious social media posts to trick users into downloading malware is far from unheard of, with Reddit pages and WeTransfer pages also discovered earlier in 2025 spreading the Lumma malware in a similar campaign.
“The network appears to be active at least since 2021 and maintains a constant output of malicious content each year,” Check Point wrote in its report. “Especially in 2025, the creation of such videos has tripled, highlighting both the scalability and increased efficiency of this malware distribution campaign.”
One of the reasons this campaign in particular was so potent is the network of positive interactions it cultivated – disarming viewers and building a high level of trust. One set of accounts were observed uploading videos, while another set would like/comment/subscribe accounts and another group would post positive updates and messages.
In years past, high viewership and positive interactions indicated a safe or legitimate service, but now with reports suggesting that up to 50% of all internet traffic comes from bots – viewers are forced to be more cautious than ever.
The best antivirus for all budgets
