Check Point Research has uncovered a massive malware distribution operation called the YouTube Ghost Network, featuring over 3,000 malicious videos designed to infect unsuspecting users with dangerous information-stealing malware.
This sophisticated cybercriminal network has been operating since at least 2021, with activity tripling in 2025 as threat actors increasingly exploit YouTube’s trusted platform to bypass traditional security measures.
The YouTube Ghost Network represents a significant evolution in malware distribution tactics, moving beyond conventional email phishing to leverage the inherent trust users place in popular social media platforms.
Security researchers identified three distinct types of compromised accounts working in coordination: video-accounts that upload malicious content, post-accounts that share download links and passwords, and interact-accounts that create false legitimacy through positive comments and engagement.
This role-based structure enables the network to maintain operations even when individual accounts are banned, as threat actors can rapidly replace compromised elements without disrupting the overall campaign.
The network primarily targets users seeking “Game Hacks/Cheats” and “Software Cracks/Piracy,” categories that continue to attract large numbers of potential victims despite the inherent risks of downloading unauthorized software.
The most successful malicious video in the dataset targeted Adobe Photoshop, accumulating 293,000 views and 54 comments, while another targeting FL Studio reached 147,000 views.
These numbers demonstrate the considerable reach and effectiveness of the distribution method, particularly when compared to traditional email-based campaigns that face increasing security barriers.
Malware Evolution Reflects Industry Disruptions
The network’s payload preferences have shifted significantly following law enforcement actions against major malware families.
The YouTube channel @Sound_Writer, with 9,690 subscribers, has published several videos primarily focused on cryptocurrency software and gaming, accumulating approximately 24,000 views in total.
Prior to the Lumma infostealer disruption between March and May 2025, Lumma was the most frequently distributed malware within the network.
Following this takedown, security researchers observed threat actors pivoting to Rhadamanthys as their preferred information-stealing tool.
This adaptive behavior highlights the dynamic nature of the cybercriminal ecosystem, where operators quickly adjust their tactics in response to security countermeasures. The archive contains multiple files designed to masquerade as legitimate software. Based on compilation and modification timestamps, the campaign likely began on 8 September.
The majority of malware distributed through the YouTube Ghost Network consists of infostealers designed to exfiltrate user credentials, financial information, and other sensitive data to remote command-and-control servers.
Threat actors employ sophisticated evasion techniques including password-protected archives, frequent payload updates, and rotation of command-and-control infrastructure every three to four days.
These tactics specifically target automated detection systems and reputation-based blocking mechanisms, making the campaigns particularly challenging for traditional security solutions to identify and stop.
Campaign Analysis Reveals Advanced Tactics
Detailed analysis of specific campaigns reveals the network’s operational sophistication. In one documented case, a compromised YouTube channel with 9,690 subscribers was used to distribute Rhadamanthys infostealer through cryptocurrency-themed videos.
The campaign utilized redundant hosting on multiple platforms including Google Sites, MediaFire, and Dropbox to ensure persistence even if individual components were detected and removed.
Another significant campaign targeted content creators through a compromised account with 129,000 subscribers, distributing malware disguised as cracked Adobe products.
This campaign specifically appealed to YouTubers and other digital content creators, suggesting deliberate audience targeting by the threat actors.
The malicious archives contained both functional cracked software and hidden malware, making detection more difficult as some users would experience the promised functionality while unknowingly installing infostealers.
The technical implementation involves multi-stage deployment, with initial MSI installers delivering HijackLoader, which subsequently deploys the final Rhadamanthys payload.
This layered approach helps evade detection by security solutions that may only analyze the initial file without examining the complete infection chain.
The YouTube Ghost Network’s success demonstrates how cybercriminals are adapting to modern security landscapes by exploiting trusted platforms and social engineering techniques.
As traditional distribution methods become less effective, these platform-based approaches represent a concerning evolution in malware delivery that requires coordinated response from security researchers, platform operators, and law enforcement agencies to effectively combat.
Indicators of Compromise
Here is the provided data organized into a table format:
| Campaign | Description | Value |
|---|---|---|
| Campaign I | Set-up.zip | 92c26a15336f96325e4a3a96d4206d6a5844e6a735af663ba81cf3f39fd6bdfe |
| Campaign I | Set-up.exe, Rhadamanthys | b429a3e21a3ee5ac7be86739985009647f570548b4f04d4256139bc280a6c68f |
| Campaign I | Rhadamanthys C&C | hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n |
| Campaign I | Set-up.zip, 23/9 | da36e5ec2a8872af6e2f7e8f4d9fdf48a9c4aa12f8f3b3d1b052120d3f932f01 |
| Campaign I | Set-up.exe, 23/9, Rhadamanthys | b41fb6e936eae7bcd364c5b79dac7eb34ef1c301834681fbd841d334662dbd1d |
| Campaign I | Set-up.exe, 23/9, Rhadamanthys C&C | hxxps://openai-pidor-with-ai[.]com:6343/gateway/pqnrojhl.adc7k |
| Campaign I | Set-up.exe, 23/9, Rhadamanthys C&C | hxxps://178.16.53[.]236:6343/gateway/pqnrojhl.adc7k |
| Campaign II | Adobe.Photoshop.2025.rar | 7d9e36250ce402643e03ac7d67cf2a9ac648b03b42127caee13ea4915ff1a524 |
| Campaign II | Set-Up.msi | ad81b2f47eefcdce16dfa85d8d04f5f8b3b619ca31a14273da6773847347bec8 |
| Campaign II | Rhadamanthys C&C | hxxps://5.252.155[.]99/gateway/r2sh55wm.a56d3 |
| Campaign II | Adobe.Photoshop.2025.rar, 24/9 | 19b6bb806978e687bc6a638343b8a1d0fbd93e543a7a6a6ace4a2e7d8d9a900b |
| Campaign II | Set-Up.msi, 24/9 | 270121041684eab38188e4999cc876057fd7057ec4255a63f8f66bd8103ae9f2 |
| Campaign II | C&C, 24/9 | hxxps://5.252.155[.]231/gateway/3jw9q65j.b3tit |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
