Threat Actors Exploit YouTube Channels to Spread Infostealers (Vidar and LummaC2)

AhnLab ASEC reports threat actors are compromising legitimate YouTube channels to post links to password-protected MediaFire archives that contain Infostealers, notably Vidar and LummaC2. The campaigns use masqueraded installers, large padded files to evade detection, and legitimate services (Telegram, Steam Community) for command-and-control. #Vidar #LummaC2

Keypoints

Attackers are hijacking existing popular YouTube channels (including one with >800k subscribers) to publish videos that link to malware downloads.
Malware is hosted on MediaFire as password‑protected archives containing installers disguised as cracked software.
Distributed Infostealers include Vidar and LummaC2; Vidar uses a loader (patched msedge_elf.dll) that decrypts embedded payload files (berley.asp, complot.ppt).
Operators inflate installer file sizes (e.g., ~800 MB) and use padding to evade detection; archives are password protected to further hinder inspection.
Vidar uses Telegram and Steam Community for C2; both families steal credentials from browsers, email, FTP clients, cryptocurrency wallets, and capture screenshots.
Observed behaviors include process injection/hollowing and remote exfiltration to various C2 domains and IPs; multiple MD5 hashes and C2 URLs are published as IOCs.

MITRE Techniques

[T1105] Ingress Tool Transfer – Attackers host malware on MediaFire and provide download links in video descriptions/comments so victims retrieve malicious installers (‘All of the malware are uploaded to MediaFire and are compressed with password protection.’).
[T1204.002] User Execution – The campaign relies on victims running supplied installers such as “Set-up.exe” which launches the malicious payload (‘The “Set-up.exe” file that will generally be run by the user…’).
[T1027] Obfuscated Files or Information – Files are intentionally padded and archives password-protected to evade detection and static analysis (‘file size is intentionally enlarged to around 800 MB to evade the detection of security products’).
[T1036] Masquerading – Malware is disguised as legitimate installers and uses legitimate filenames (e.g., patched msedge_elf.dll) to appear benign (‘Edge’s “identity_helper.exe”… when the file is run, the “msedge_elf.dll” file… is actually the patched malware’).
[T1055] Process Injection – Detected behavior includes injection/hollowing used by the payload to run stealthily in victim processes (‘Behavior Detection – Injection/MDP.Hollowing.M4180’).
[T1102] Web Service – Vidar uses legitimate web services such as Telegram and Steam Community for command-and-control communication (‘To communicate with the C&C server, Vidar uses Telegram and Steam Community.’).
[T1555.003] Credentials from Web Browsers – Infostealers harvest stored credentials and wallet files from browsers and other local stores (‘steals account credentials from web browsers, emails, and FTP clients, and it also steals cryptocurrency wallet files or screenshots’).

Indicators of Compromise

[MD5 hashes] reported malicious files – af273f24b4417dce302cf1923fb56c71 (Vidar loader msedge_elf.dll), e8201c07fcb62107a91411c55c261fab (Vidar Setup.exe), and 4 more hashes.
[File names] malicious installers and payloads – Set-up.exe / Setup.exe (installer), msedge_elf.dll (patched loader), berley.asp / complot.ppt (encoded payloads).
[Domains / Web services] C2 and API endpoints – hxxps://steamcommunity[.]com/profiles/76561199658817715 (Vidar C2), hxxps://t[.]me/sa9ok (Vidar Telegram), and multiple .shop API domains used by LummaC2 (e.g., interferencesandyshiw[.]shop/api).
[IP addresses] C2 infrastructure – 78.47.221[.]177 (Vidar), 95.216.176[.]246:5432 (Vidar).

Threat actors compromised legitimate YouTube channels and uploaded videos that advertised cracked commercial software with download links pointing to password‑protected MediaFire archives. Victims who download and extract these archives find installer‑style executables; in Vidar cases the user‑facing binary (e.g., identity_helper.exe / Set‑up.exe) loads a patched msedge_elf.dll which decrypts embedded files (berley.asp, complot.ppt) used as shellcode and payloads. Operators deliberately pad installers (example: ~800 MB inflated files that compress down significantly) and use archive passwords to hinder detection and automated scanning.

Once executed, the Infostealers (Vidar, LummaC2) perform credential and data theft from web browsers, email clients, FTP clients, and cryptocurrency wallets, capture screenshots, and may download additional malware. Vidar variants were observed communicating with C2 over legitimate services (Telegram channels and Steam Community profiles) and direct IP endpoints; behavior detections include process injection/hollowing. File‑ and behavior‑based detections and multiple MD5 hashes for loaders and payloads are provided in the report.

For incident response focus on the published IOCs (MD5s, filenames, C2 domains/IPs), block the identified domains and IPs, monitor for execution of installer‑named binaries and msedge_elf.dll variants, and search for indicators of data exfiltration via Telegram/Steam endpoints. Preserve affected systems for forensic analysis and apply updated detections (listed file detections and behavior detection) when scanning for related infections.