Threat Research

Dissecting YouTube’s Malware Distribution Network

Checkpoint

Check Point Research uncovered a coordinated YouTube Ghost Network that uploaded over 3,000 malicious videos since 2021 to distribute infostealers (notably Lumma and Rhadamanthys) by abusing account roles, positive engagement, and platform features to build trust. The campaign shifted from Lumma to Rhadamanthys after Lumma disruption in 2025 and concentrated on “Game Hacks/Cheats” and “Software Cracks/Piracy” content, driving high view counts for targeted videos. #Lumma #Rhadamanthys

Keypoints

  • Check Point Research identified a YouTube Ghost Network of compromised accounts that systematically promote malicious downloads through videos, posts, descriptions, and comments.
  • The network comprises role-based accounts (video-accounts, post-accounts, interact-accounts) to upload malware, share download links/passwords, and create positive engagement to appear legitimate.
  • Over 3,000 malicious videos were reported and most have been removed; activity dates from ~2021 and surged in 2025, tripling previous years’ volume.
  • Primary targets were “Game Hacks/Cheats” (e.g., Roblox-related content) and “Software Cracks/Piracy” (notably Adobe products and FL Studio), with some videos reaching hundreds of thousands of views.
  • Malware distribution methods included password-protected archives, redundant hosting (MediaFire, Dropbox, Google Drive), phishing pages (Google Sites, Blogspot, Telegraph), shortened URLs, and instructions to disable Windows Defender.
  • Infostealers were the predominant payloads; Lumma was dominant until its disruption (Mar–May 2025), after which Rhadamanthys became the preferred infostealer.
  • Attackers regularly update payloads and rotate short-lived C2 servers to evade detection and reputation-based defenses, using low-detection MSI/EXE samples and frequent rebuilds.

MITRE Techniques

  • [T1071] Application Layer Protocol – Malware communicates with remote command-and-control servers over HTTP(S) (e.g., “Rhadamanthys infostealer … communicating with the command-and-control (C2) endpoint hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n”).
  • [T1195] Supply Chain Compromise – Compromised YouTube accounts are used to distribute malicious payloads by hijacking legitimate channels and content (“accounts within these networks are often compromised, and legitimate content is frequently hijacked to host malicious material”).
  • [T1204] User Execution – Victims are tricked into executing installers from cracked software and password-protected archives, often following instructions to disable Windows Defender (“Turn off Windows Defender temporarily … the archive is clean. Defender may trigger a false alert”).
  • [T1105] Ingress Tool Transfer – Threat actors host payloads on file-sharing services and phishing pages, enabling users to download malicious files (e.g., “external links provided typically redirect users to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on platforms like Google Sites”).
  • [T1091] Replication Through Removable Media (analogous) / Archive Evasion (defensive evasion) – Use of password-protected archives to prevent automated scanning and evade inspection (“password-protected archives are used to evade inspection, as security solutions cannot decompress and analyze the contents without the password”).
  • [T1499] Endpoint Denial of Service (behavioral evasion via disablement) – Instructions to disable security controls (Windows Defender) to allow payload installation (“Step-by-step instructions are often provided, commonly advising users to ‘temporarily’ disable Windows Defender”).

Indicators of Compromise

  • [File Hash] Campaign I & Campaign II samples – Set-up.zip: 92c26a15336f96325e4a3a96d4206d6a5844e6a735af663ba81cf3f39fd6bdfe, Adobe.Photoshop.2025.rar: 7d9e36250ce402643e03ac7d67cf2a9ac648b03b42127caee13ea4915ff1a524.
  • [File Hash] Executables/MSI – Campaign I Set-up.exe (Rhadamanthys): b429a3e21a3ee5ac7be86739985009647f570548b4f04d4256139bc280a6c68f; Campaign II Set-Up.msi: ad81b2f47eefcdce16dfa85d8d04f5f8b3b619ca31a14273da6773847347bec8.
  • [Domain/URL] C2 endpoints and phishing hosts – Rhadamanthys C2s: hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n, hxxps://5.252.155[.]99/gateway/r2sh55wm.a56d3; phishing hosting: sites.google.com (Google Sites phishing pages), telegra.ph (Telegraph).
  • [File Name] Observed payload filenames – Adobe.Photoshop.2024.v25.1.0.120.exe (malicious cracked installer), Remote-Vector32.exe (dropped payload name), and bw97v41m.exe (launcher inside MSI).
  • [IP Address] Additional C2 IPs – 178[.]16.53[.]236:6343, 5.252[.]155[.]231 and 5.252.155[.]99 (C2 rotation examples).

Read more: https://research.checkpoint.com/2025/youtube-ghost-network/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint