- YouTube removed 3,000 malicious videos disguised as ‘cracked software’
- These have been used to spread malware and information stealers like Lumma.
- The network used false positive engagements to gain trust
Google has removed a network of 3,000 malicious YouTube videos used to spread malware.
Check Point Research claims to have discovered the “YouTube Ghost Network” – a “sophisticated and coordinated” video campaign that took advantage of YouTube’s features to promote its own harmful content.
The videos were primarily disguised as “Game Hack/Cheat” and “Software Cracks/Piracy” – domains with large audiences that often encouraged the public to download software. Such “pirated” software is illegal and these downloads often contain malware.
Malware and information stealers
These videos were not necessarily spam in nature. Researchers identified a video targeting Adobe Photoshop with 293,000 views and 54 comments, as well as a video targeting FL Studio that had garnered 147,000 views – these would appear legitimate based on the large number of interactions.
The Ghost Network distributed malware through these software downloads – particularly through the infamous information stealers Rhadamanthys, Lumma and RedLine, as well as malware strains.
This tactic of using malicious social media posts to trick users into downloading harmful software is far from unknown, with Reddit and WeTransfer pages also discovered earlier in 2025 spreading Lumma malware as part of a similar campaign.
“The network appears to have been active at least since 2021, maintaining a steady production of malicious content each year,” Check Point wrote in its report. “Notably, by 2025, the creation of such videos has tripled, highlighting both the scalability and increasing effectiveness of this malware distribution campaign. »
One of the reasons this particular campaign was so powerful is the network of positive interactions it cultivated – disarming viewers and establishing a high level of trust. One group of accounts were observed uploading videos, while another group would like/comment/subscribe to the accounts, and another group would post updates and positive messages.
It used to be that high viewership and positive interactions indicated a safe or legitimate service, but today, with reports suggesting that up to 50% of all internet traffic comes from bots, viewers are forced to be more careful than ever.
The best antivirus for every budget
