Massive Malware Campaign Uncovered on YouTube

A significant malicious operation, active since 2021, has been identified on YouTube, where it published over 3,000 videos to distribute malware. The campaign, codenamed the YouTube Ghost Network by cybersecurity firm Check Point, leveraged the platform’s vast user base to propagate harmful payloads. The volume of malicious video uploads tripled since the beginning of the year, indicating a rapid escalation of the threat. In response to the discovery, Google has taken action to remove a majority of the identified videos from its platform.

The operation involved a network of YouTube accounts that were compromised by attackers. After gaining control, the threat actors would replace the existing content with new videos designed to lure unsuspecting users into downloading malware. These malicious videos primarily focused on topics like pirated software and cheats for the popular game Roblox, targeting users actively searching for such content.

Tactics, Techniques, and Impact

The Ghost Network’s success relied on abusing trust signals inherent to the YouTube platform. Some of the malicious videos managed to accumulate hundreds of thousands of views, with view counts ranging from 147,000 to 293,000. These high numbers, combined with likes and comments, made the videos appear legitimate and safe to potential victims. The primary goal of the campaign was to infect users with stealer malware, a type of malicious software designed to steal sensitive information from a victim’s computer.

According to a statement on the operation’s methods, “This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe,…” This strategy effectively turned hacked accounts with established histories into traps, exploiting the trust their subscribers and other viewers had in the channel.

Source: https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.html