Check Point Research has identified a growing 'Ghost Network' on YouTube, distributing malware through fake software and game hacks since 2021. The network's activity has significantly increased in 2025. Cybercriminals use compromised and fake accounts to post polished videos offering cracked software or game cheats, leading to malware exposure.
Distribution Methods
Attackers share links to password-protected archives on file-sharing or phishing sites, including Google Sites and MediaFire. Users are instructed to disable Windows Defender before running installers, increasing their vulnerability.
- Commonly distributed malware includes Lumma Stealer, Rhadamanthys, StealC, and RedLine.
- Installers frequently utilize loaders such as HijackLoader.
- Notable campaigns involve compromised channels spreading Rhadamanthys, targeting cryptocurrency enthusiasts with fake videos.
Security Measures
Experts recommend avoiding cracked software and game cheats. Users should maintain active and up-to-date antivirus protection and never disable Windows Defender or other security tools. Inspect links closely and avoid shortened or unfamiliar URLs. Employ password managers and enable two-factor authentication to enhance security. Keeping operating systems and applications updated and considering data removal services to minimize personal information exposure is advised.
This complex malware network poses a continuous challenge due to its frequent payload updates and dynamic control servers, complicating detection and takedown efforts. Experts emphasize understanding the cyber risks in utilizing unauthorized software solutions.
