For some time now, security researchers have been tracking a highly active malicious network on YouTube. This network uploads and promotes videos that, at first glance, appear harmless (tutorials, game hacks, free downloads) but are actually designed to trick users into downloading malware.
The attackers exploit the enormous trust people place in YouTube and the popularity of certain types of content to distribute malicious software on a massive scale.
According to Check Point, this operation has been active since 2021 and has already published more than 3,000 malicious videos, with a concerning trend: so far this year alone, the volume of uploads has tripled. The campaign has been dubbed the “YouTube Ghost Network.”
The strategy is clear: attackers take control of hacked accounts, delete their original content, and replace it with videos promising pirated software or game hacks for titles like Roblox. Users who click on the links in the video descriptions end up infecting their devices with stealer-type malware designed to steal personal data, passwords, social media access, cryptocurrency, and more.
Some of these videos have reached alarming figures: between 147,000 and 293,000 views, showing the reach and effectiveness of this campaign. Google has already taken action and removed a large number of these videos, but the problem persists, and the network remains active.
At TecnetOne, we will continue monitoring these types of campaigns so you can always stay one step ahead and know how to protect yourself.
This malicious operation took advantage of trust signals like views, likes, and comments to make the content appear legitimate. At first glance, everything looked like a normal tutorial or a useful guide, but it was actually a well-crafted trap to spread malware.
What’s most concerning is the scale, organization, and refinement of this approach: a well-structured network that uses all the interaction tools offered by YouTube to deceive users and spread malicious software without raising suspicion.
While this may sound new to many, the truth is that using YouTube as a platform for malware distribution is nothing recent. For years, attackers have been hijacking legitimate channels or creating new accounts to upload videos with links in the description that redirect to malware.
In this particular campaign, the attackers take the strategy one step further. They not only post visually trustworthy content, but they also leverage every possible feature of the platform: videos, descriptions, posts (yes, YouTube also allows posting like a social network), and even comments. All of this is used to reinforce the perception that the content is authentic and safe, when in reality, it’s quite the opposite.
This type of attack is part of a growing trend: the abuse of legitimate platforms for malicious activities. It’s no longer just shady websites or suspicious files. Now, attackers are turning to tools we use every day (like YouTube, GitHub, or even legitimate ad networks) to spread their malware more efficiently and with less chance of detection.
A clear example of this strategy is what’s known as Ghost Networks: distributed networks of accounts that work together as if they were a single operating system. These networks don’t just appear trustworthy—they’re designed to survive.
How do they manage it? They use a role-based structure, meaning each account in the network has a specific function. If one account is blocked or deleted, it is simply replaced by another without affecting the rest of the system. This modular architecture allows the network to continue operating with almost no interruptions, making it an especially difficult threat to eliminate.
In YouTube’s case, many of these accounts have been compromised: they were originally legitimate but were hacked. Once inside, the attackers modify all the content and assign the account a new role within the malicious network.
The most dangerous part is that, thanks to this organization, malicious videos can remain active long enough to generate thousands (even hundreds of thousands) of views before being detected or taken down. By that point, they’ve already infected thousands of users.
Timeline of the Attack (Source: Check Point)
Read more: What Are Roblox Executors and How They Can Hack You
Within the YouTube Ghost Network, cybercriminals don’t act randomly. Everything is organized, and to ensure the operation runs so efficiently, they use three different types of accounts, each with a specific role:
These are the accounts that upload phishing videos, usually with eye-catching titles promising cracks, free licenses, or tools for games and cryptocurrency. In the descriptions (sometimes in pinned comments or even within the video itself), they include links to supposed downloads of the promoted software. Spoiler: it’s not software, it’s malware.
These take advantage of YouTube’s “Community” feature, which not all users are familiar with. They post messages with external links disguised as announcements or promotions. It may sound innocent, but it’s another direct path to malware.
These are the ones that like, comment positively, and support the infected videos to make them look trustworthy—in other words, they create fake credibility. This helps deceive users who rely on likes and comments before deciding to download something.
The links shared by these accounts often lead users to well-known sites and services, giving a false sense of legitimacy. Some examples include:
MediaFire, Dropbox, or Google Drive: used to host infected files.
Google Sites, Blogger, Telegraph: used as bridge pages to distribute malicious links.
URL shorteners like Bit.ly: to hide the real destination of the link and avoid raising suspicion.
Once you click, it’s easy to fall for the trap—especially if you’re looking for something very specific (like a free version of expensive software) and the video has thousands of views.
Read more: Cybersecurity Awareness: Why One Annual Talk Isn’t Enough
The Ghost Network isn’t distributing just one type of malware, but rather a dangerous collection of stealers and loaders aimed at stealing all kinds of sensitive information.
Among the malware families detected are:
Lumma Stealer
Rhadamanthys Stealer
StealC Stealer
RedLine Stealer
Phemedrone Stealer
Various loaders and downloaders based on Node.js, such as Hijack Loader
These programs can steal passwords, login credentials, cookies, session tokens, banking data, and cryptocurrency wallets—all without the user noticing anything unusual on their device.
This network isn’t limited to small or low-visibility accounts. Channels of considerable size have also been found spreading malware. Some documented examples include:
@Sound_Writer (9,690 subscribers): Compromised for over a year. Posted videos related to cryptocurrency software that were actually distributing Rhadamanthys Stealer.
@Afonesio1 (129,000 subscribers): Hacked between December 2024 and January 2025. A video was uploaded promoting a pirated version of Adobe Photoshop that, once installed, executed Hijack Loader, which in turn downloaded Rhadamanthys.
This shows that it doesn’t matter how many followers a channel has—if it’s vulnerable, it can become a vehicle for malicious campaigns.
The YouTube Ghost Network is a clear example of how cybersecurity today isn’t just about avoiding suspicious emails or strange files, but about understanding how popular platforms are being manipulated to appear harmless while distributing real threats.
At TecnetOne, we recommend always staying alert, avoiding unknown links, and never downloading software from unofficial sources—no matter how convincing the video may seem.