YouTube is widely recognized as one of the most popular and frequently visited platforms on the internet, offering an extensive array of content ranging from entertainment to educational tutorials. Whether someone wants to learn a new recipe, pick up a new skill like biking, or find assistance with work or school projects, YouTube seems to have a video for everything. However, recent research from cybersecurity firm Check Point Research has uncovered a troubling underbelly lurking within the platform: a vast and sophisticated malware distribution network known as the YouTube Ghost Network. This covert operation exploits YouTube’s vast audience and trust-based ecosystem to spread malicious software disguised in videos promising free software cracks and game hacks.
The YouTube Ghost Network has been active since 2021, but its activity has seen a significant surge, tripling in 2025 according to Check Point’s findings. The network operates by targeting users who are actively seeking "free" or cracked versions of popular software, game cheats, or hacking tools—search terms frequently used by those looking to bypass paying for software or gain unfair advantages in games. This curiosity-driven behavior essentially opens the door to the malware traps set by cybercriminals. The network’s success hinges on a clever combination of social engineering and technical stealth, leveraging fake engagement and compromised accounts to build a facade of legitimacy.
One of the key tactics employed by the Ghost Network is the use of fake social proof. Videos uploaded by compromised or fake YouTube accounts are flooded with positive comments, likes, and community posts that create an illusion of trustworthiness. This coordinated engagement is not incidental but an integral part of the operation’s design, helping to deceive viewers into believing the content is safe and widely accepted. Even when YouTube removes individual videos or bans channels, the network’s modular setup allows it to quickly replace these accounts, making takedown efforts only temporarily effective. This resilience enables the malware distribution campaign to persist and evolve over time.
When unsuspecting users click on links embedded in these videos or community posts, they are typically redirected to file-sharing or phishing sites hosted on platforms like Google Sites, MediaFire, or Dropbox. The files offered are often password-protected archives, a tactic designed to evade detection by antivirus software. Victims are then prompted to disable Windows Defender—Windows’ built-in antivirus protection—before proceeding with installation. This request is a major red flag, as it effectively disarms the user’s primary defense against malware. Following these steps, the malware silently installs itself, often without the user’s awareness.
The types of malware distributed through the YouTube Ghost Network are primarily information stealers, including notorious programs such as Lumma Stealer, Rhadamanthys, StealC, and RedLine. These malicious programs are designed to extract sensitive information such as passwords, browser data, and other personal details, which they then transmit back to the attackers’ control servers. The network’s compartmentalized structure assigns roles to different compromised accounts: some are responsible for uploading malicious videos, others share download links, and a separate group boosts credibility by engaging positively with the content. This division of labor makes the operation highly efficient and difficult to dismantle.
Check Point’s research highlighted two major campaigns that exemplify the Ghost Network’s modus operandi. The first involved the Rhadamanthys infostealer, which was spread through a compromised YouTube channel named @Sound_Writer, boasting nearly 10,000 subscribers. Attackers uploaded fake cryptocurrency-related videos and used phishing pages hosted on Google Sites to distribute malicious archives. These pages coaxed viewers into temporarily disabling Windows Defender under the guise of false security alerts. Once the malware was installed, it connected to multiple control servers to exfiltrate stolen data, maintaining persistence by rotating these servers regularly.
The second campaign leveraged a much larger channel, @Afonesio1, which had approximately 129,000 subscribers. This channel featured videos offering cracked versions of high-profile software like Adobe Photoshop, Premiere Pro, and FL Studio. One particularly popular video accumulated over 291,000 views and featured glowing comments attesting to the software’s effectiveness. The malware was concealed within a password-protected archive linked through community posts. The installation process involved the HijackLoader tool, which deployed the Rhadamanthys malware payload. Similar to the first campaign, the malware used rotating control servers to avoid detection and maintain control over infected machines.
It is important to note that users face risks even if they do not complete the installation process. Simply visiting the