From Cracked to Hacked: Malware Spread via YouTube Videos

Threat actors are compromising older YouTube accounts to upload videos that redirect victims via shortened links (Rebrandly/Bitly) and Telegraph pages to file-hosting services (MediaFire), delivering password‑protected archives that unpack to .NET binaries (commonly Redline or RaccoonStealer). These payloads execute (spawning vbc.exe), contact C2 servers (e.g., 95.217.14[.]200) and can be rapidly swapped via the Telegraph redirect to evade detections. #Redline #TropiCracked

Keypoints

Threat actors take over older/abandoned YouTube accounts and upload short videos advertising “cracked” software to lure victims.
Video descriptions use shortened links (Rebrandly/Bitly) that redirect to Telegraph pages, which then link to file hosts like MediaFire hosting passworded .rar archives.
Downloaded archives contain Setup.exe — a SmartAssembly-packed .NET binary — that executes, spawns vbc.exe, and attempts connections to C2s (notably 95.217.14[.]200).
Payloads observed are primarily commodity infostealers and loaders (Redline, RaccoonStealer, Vidar, SmokeLoader), inexpensive MaaS offerings enabling broad campaigns.
SEO poisoning (tags in target languages) and manufactured positive comments are used to increase visibility and perceived trustworthiness of malicious videos.
Attackers use an indirection layer (Telegraph) to perform binary swaps centrally so all prior video links point to updated payloads, evading signature-based detections.

MITRE Techniques

[T1650] Acquire Access – Actors acquire access to resources (YouTube accounts) used to distribute payloads. (‘compromised YouTube accounts’)
[T1586.001] Compromise Accounts: Social Media Accounts – Old account credentials appear reused to host malicious uploads and descriptions. (‘older YouTube accounts to host links to malware’)
[T1588.001] Obtain Capabilities: Malware – Operators obtain commodity infostealers and loaders (Redline, RaccoonStealer) as MaaS. (‘Redline’, ‘RaccoonStealer’)
[T1608.001] Stage Capabilities: Upload Malware – Malware binaries are uploaded to file hosting services (MediaFire) for delivery. (‘Mediafire download link’)
[T1608.005] Stage Capabilities: Link Target – Shortened links (Rebrandly/Bitly) and Telegraph pages are used as indirection to the final download. (‘Rebrandly link’, ‘Telegraph link’)
[T1608.006] Stage Capabilities: SEO Poisoning – Tags and multilingual metadata are added to increase search visibility in target regions. (‘tags related to searches for the cracked software’)
[T1204.002] User Execution: Malicious File – Victims manually download and run the provided Setup.exe from passworded archives. (‘running the file leads to infection’)
[T1055] Process Injection – Malicious execution spawns or leverages legitimate processes (vbc.exe) as part of execution/evasion. (‘spawning the Visual Basic Command Line Compiler process vbc.exe’)
[T1071.001] Application Layer Protocol: Web Protocols – C2 communications use web protocols to contact servers (e.g., 95[.]217[.]14[.]200). (‘attempted connections to the C2 address 95[.]217[.]14[.]200’)

Indicators of Compromise

[Download URLs] Redirect chain and hosting – telegra[.]ph/Download-Link-11-24-17, telegra[.]ph/Download-07-19-11 (Telegraph pages linking to MediaFire)
[Shortened links] Link redirection services used – cutt[.]us/cwPtJ, bit[.]ly/Ae-crack (used in video descriptions)
[File-hosting / payload URLs] MediaFire and other file hosts – examples observed in Telegraph pages directing to MediaFire download pages
[C2 IP] Command-and-control – 95[.]217[.]14[.]200 (observed connection attempts from executed payload/vbc.exe)
[File names] Delivered artefacts – Setup (PA$S 5577).rar -> Setup.exe (passworded archive and extracted executable)
[Hashes] Malware binaries – 4bd97df9a302f8b432031122a512b5c0eaac16c29d7c9fa3011ad38a7465be3e, 0c0f10e45d6600cac802471617ede4b564429a14fb2a14c7b3e6ab6fea9bc9f6 (observed Setup.exe variants)

Attack flow (technical procedure): operators first gain access to aged YouTube accounts (likely via leaked credentials) and upload short videos that instruct viewers to use a download link and password in the description. Those links use URL-shortening services (Rebrandly/Bitly) that redirect to Telegraph pages; the Telegraph page contains the actual file-hosting URL (commonly MediaFire) where a password‑protected .rar archive is hosted. Victims who download and extract the archive obtain Setup.exe, which is a SmartAssembly‑packed .NET binary masquerading as legitimate software.

Payload execution and behavior: executing Setup.exe results in the process spawning vbc.exe (Visual Basic Command Line Compiler) and the malware performing network connections to a hardcoded C2 (notably 95[.]217[.]14[.]200). Static and VT analysis identified these binaries as Redline (and other commodity infostealers/loaders), and the .NET packing requires deobfuscation tools (de4dot, dnSpy) for deeper analysis. The attacker architecture enables rapid binary swaps by updating the Telegraph link so all prior YouTube descriptions point to the new MediaFire payload hash, allowing evasion of signature-based detections.

Operational techniques and detection implications: attackers increase reach via SEO poisoning (multilingual tags) and manufactured positive comments to boost trust. Defenders should monitor for the redirect chain patterns (shortener -> telegraph -> file host), passworded archive deliveries, suspicious .NET binaries spawning vbc.exe, outgoing connections to known C2 IPs, and enable behavior-based detection to catch variant payloads that bypass signature controls.