Threat Research

YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”

Securonix

YTStealer is a YouTube authentication cookie stealer marketed on the dark web, designed to harvest credentials and channel data from creators. It evades analysis with sandbox checks, uses headless browser automation to validate cookies and collect YouTube Studio details, and exfiltrates encrypted data to a C2 domain at youbot.solutions, often bundled with other stealers and delivered via fake installers.
Hashtags: #YTStealer #YouTubeCookies #YouTubeStudio #Aparat #OBSStudio

Keypoints

  • YTStealer’s sole objective is to steal YouTube authentication cookies and harvest channel data.
  • It performs environment checks to detect sandbox analysis in order to evade detection.
  • Cookies are extracted from the browser’s database files in the user’s profile folder.
  • It launches a web browser in headless mode and uses Rod to validate cookies by accessing YouTube Studio and gathering channel details (name, subscribers, monetization, verification, etc.).
  • Stolen data is encrypted with a per-sample key and sent to a C2 server at youbot.solutions.
  • YTStealer is marketed as a service on the Dark Web and is often dropped alongside other stealers (e.g., RedLine, Vidar) by loaders.
  • Fake installers targeting creators span categories like Digital/Video software, Game mods/ Cheats, drivers, and cracks, underscoring the need to download software only from trusted sources.

MITRE Techniques

  • [T1497.001] Virtualization/Sandbox Evasion – The malware performs environment checks to detect if the malware is being analyzed in a sandbox. ‘perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.’
  • [T1555.003] Credentials in Web Browsers – The cookies are extracted from the browser’s database files in the user’s profile folder. ‘The cookies are extracted from the browser’s database files in the user’s profile folder.’
  • [T1041] Exfiltration Over C2 Channel – Data is sent to a C2 server. ‘sends it together with a sample identifier to the command and control (C2) server located at the domain name youbot.solutions.’
  • [T1027] Obfuscated/Compressed Files and Information – The stolen data is encrypted with a per-sample key. ‘The data is encrypted with a key that is unique for each sample.’
  • [T1036] Masquerading – The malware uses fake installers disguised as legitimate software to deliver payloads. ‘Most of the fake installers used were for cracked versions of legitimate software.’

Indicators of Compromise

  • [Domain] youbot.solutions – Exfiltration/C2 domain used by YTStealer to send stolen data.
  • [Domain] aparat.com – Used in imagery related to YOUBOT SOLUTIONS LLC (logo/profile context).
  • [File Path] /home/admin/web/youbot.solutions/public_html/Builder/Sources – Build path disclosed in the malware’s infrastructure description.

Read more: https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/