Security researchers have uncovered a massive and sophisticated malware operation on YouTube, dubbed the "YouTube Ghost Network." This network has been actively publishing and promoting over 3,000 videos designed to trick users into downloading malicious software. The operation, active since 2021, saw a significant surge in activity in 2025, with the volume of malicious videos tripling.

Key Takeaways

• A "YouTube Ghost Network" has been identified, comprising over 3,000 malicious videos.

• These videos lure users with promises of pirated software and game cheats.

• The network utilizes a combination of compromised and fake YouTube accounts to appear legitimate.

• Malware distributed includes information stealers like Lumma and Rhadamanthys.

• Google has taken action to remove a majority of the identified videos.

How The Ghost Network Operates

The YouTube Ghost Network leverages hacked and newly created accounts to upload "malicious" videos. These videos often center around popular pirated software, such as Adobe Photoshop and Microsoft Office, or cheats for games like Roblox. They provide seemingly helpful tutorials that guide viewers to download password-protected archives, often hosted on services like Google Drive or Dropbox. Crucially, users are instructed to disable security software, like Windows Defender, to bypass "false positives" on the pirated content, which in reality allows malware to be installed.

A Web of Deception

To create a veneer of trust, the network employs a modular structure with different types of accounts. "Video-accounts" upload the malicious content and provide links in descriptions or comments. "Post-accounts" publish community messages, and "Interact-accounts" leave likes and comments to boost the videos' credibility. This role-based system allows for rapid replacement of banned accounts, ensuring operational continuity. Some of these videos have garnered hundreds of thousands of views, making the malicious content appear popular and safe.

Malware Families and Tactics

The malware distributed through this network includes various information stealers such as Lumma Stealer, Rhadamanthys Stealer, StealC Stealer, RedLine Stealer, and Phemedrone Stealer, along with Node.js-based loaders. Threat actors are increasingly repurposing legitimate platforms like YouTube, GitHub, and even TikTok for malware distribution, a trend exemplified by the "Stargazers Ghost Network" on GitHub and "Clickfix" techniques on TikTok.

Protecting Yourself

Users are advised to exercise extreme caution. Key protective measures include:

• Official Sources Only: Download software exclusively from official websites or trusted app stores.

• Security Software: Never disable antivirus or other security protections, even if prompted.

• Skepticism: Be highly skeptical of offers that seem too good to be true.

• Channel Verification: Do not solely rely on subscriber counts; verify channel authenticity through posting history and consistent content.

• Immediate Action: If you suspect a malware infection, disconnect from the internet, run a full system scan, and change passwords for critical accounts.

While Google has removed many of the identified videos, the adaptable nature of these "Ghost Networks" means new threats are likely to emerge. Staying vigilant and informed is the best defense against such sophisticated cyber threats.

Sources

• 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation, The Hacker News.

• Researchers Uncover Massive YouTube Scam Network, FindArticles.

• Don't be fooled by this massive YouTube scam network - how to protect yourself, ZDNET.