3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network
A malicious network operating on YouTube has been identified publishing and promoting over 3,000 malicious videosthat funnel unsuspecting users into malware downloads. The campaign, active since 2021 and dubbed the YouTube Ghost Network by Check Point, has seen its volume of uploads triple in the past year.
Threat actors hijack legitimate YouTube accounts, replace their content with videos featuring pirated software or game cheats—particularly for Roblox—and embed download links to install malware. Some of these videos have garnered between 147,000 to 293,000 views, leveraging high view-counts and comments to appear trustworthy.
According to ℅ Check Point’s security research group manager Eli Smadja:
“What looks like a helpful tutorial can actually be a polished cyber trap… The scale, modularity and sophistication of this network make it a blueprint for how threat actors now weaponise engagement tools to spread malware.”
The network assigns distinct roles to accounts:
Video-accounts upload the malicious content and link to malware downloads.
Post-accounts send community posts with external links.
Interact-accounts bolster the videos with likes and comments to build trust.
Many of the malicious links redirect via services like Dropbox, MediaFire, or phishing pages on Google Sites or Blogger, with URL shorteners used to hide their true destinations. Malware distributed includes families such as Rhadamanthys Stealer, RedLine Stealer, and Lumma Stealer.
Check Point observed that the role-based structure allows continuity even when individual accounts are banned, effectively enabling the ghost network to persist. The compromised channels include one with ~9,690 subscribers that deployed Rhadamanthys via a “cryptocurrency software” video, and another with ~129,000 subscribers compromised to distribute fake Adobe Photoshop installers.
This incident is part of a broader trend where threat actors exploit major platforms’ trust mechanisms and social features to distribute malware at scale. The takeaway: even videos and channels with high engagement can be malicious—users should exercise extreme caution when downloading “cracked” software or clicking external links from tutorial-style videos.
