YouTube Ghost Network - Malware Distribution Network via YouTube
Recently, security researchers from Check Point warned about a dangerous malware distribution network through the world's largest online video-sharing platform, YouTube. Known as the YouTube Ghost Network, this network has been active since early 2021 and has released over 3,000 videos on the platform. Most of these videos are related to game cheats/cracks, software, or disabling security measures, with an estimated 500,000 victims to date.
Detailed Information
In recent years, alongside the constant change and development of information technology, cybercriminals have been adapting, evolving, and changing tactics in sophisticated ways to find more effective methods to distribute dangerous malware to users. Although phishing emails remain the most common and widely used method, their effectiveness has significantly decreased due to modern security measures and increasing user awareness.
Recently, there has been a notable shift, with hackers exploiting sponsored Google ads or SEO (Search Engine Optimization) tricks to promote fake websites. With this new tactic, combined with the trust in ads or top search results, users are easily lured to malicious websites set up by hackers. A typical example of this shift is the fake GitHub campaign aimed at spreading AMOS information-stealing malware to MacOS users, as reported by FPT IS Security here at the end of September.
Cybersecurity experts from Check Point Research have recently identified a new shift by hackers, an "invisible network" operating on the world's largest online video-sharing platform today - YouTube. Emerging around early 2021, this network has released over 3,000 videos to date, mainly related to game cheats/cracks, software, or disabling operating system security measures. Monitoring this network under the name YouTube Ghost Network, Check Point experts report that although 2025 is not yet over, the number of malicious videos released by this network has tripled compared to previous years. This indicates the increasing effectiveness of this distribution method, while also posing a new challenge in ensuring cybersecurity in general.
The Development of YouTube Ghost Network
YouTube Ghost Network is essentially a collection of malicious user accounts and channels on YouTube. These accounts exploit the platform's features like videos, YouTube Shorts, extended descriptions under videos, posts, etc., to promote illegal content and spread malware to users by manipulating them.
Most of this network consists of YouTube accounts that have been hacked and taken over, with each account assigned specific operational roles within the channels. This allows the malware distribution process to run smoothly and efficiently, as accounts detected and banned by YouTube can be easily replaced within the system without causing any disruption to overall activities.
The overall structure of this network can be divided into three main roles:
Video-Account: Responsible for uploading harmful videos, providing links to fake software containing malware in the video description, and guiding users on how to install and use these dangerous programs. To increase user trust, this account often interacts with comments below the video, ready to act as an IT helpdesk for any questions or issues that arise during the installation of the distributed malware.
Post-Account: Responsible for posting messages and articles on the community tab. These accounts often share third-party download links and provide extraction passwords for downloaded files. A common feature of these accounts is that they continuously update new links and extraction passwords, with some even using AI to interact with comments below the harmful videos.
Interact-Account: Responsible for increasing interaction with harmful videos. These accounts are tasked with commenting, liking, and acting as users interacting with the posts, making the harmful content appear safe and trustworthy to users.
During the investigation, analysts noticed that the links provided by these account groups often redirect users to online file storage and sharing services like MediaFire, Dropbox, or Google Drive. This tactic has long existed and is widely used to distribute illegal software over the internet due to its convenience. However, alongside this tactic, researchers also discovered some cases of redirection to malicious websites hosted on platforms like Google Sites, Blogspot, or Telegraph. These websites are often disguised with shortened URLs, containing links with many malicious ads, requiring users to go through dozens of captcha verification steps before they can download the software they need.
This method of distribution mainly focuses on spreading notorious information-stealing malware like Lumma, Rhadamanthys, StealC, RedLine, 0debug, etc. Additionally, they actively distribute loaders and downloaders based on NodeJS to diversify their ability to infect, persist, and hide on victim systems. The report from Check Point also indicates that the network primarily exploits topics related to games. Videos containing keywords related to game hacks/cheats make up nearly 70% of the total harmful videos distributed by the Youtube Ghost Network, with Roblox being the most targeted game.
Mitigation & Recommendations
The continuous development and change in tactics for distributing malware show the significant adaptability and creativity of hackers today, allowing them to easily bypass outdated traditional security defenses. While email phishing remains a common method, the emergence of new tactics like the Youtube Ghost Network shows how easily users can face safety and cybersecurity risks. To protect themselves, the FPT Threat Intelligence team recommends users to:
Use official software: Only install and use software from the publisher's official website. Do not use software downloaded from unfamiliar websites on the internet. Absolutely avoid using cracked software or unauthorized cheat tools with unknown origins.
Use modern security measures: Install and use antivirus software. Never disable security software or download and run tools that disable security software. Additionally, users in organizations or businesses can use a combination of 24/7 security monitoring solutions to detect and promptly prevent any unusual signs in the system.
Use multi-factor authentication: Enable multi-factor authentication (MFA) for all important accounts and systems. Set strong passwords and regularly update them for these accounts. Users should also frequently update security patches for the operating system and any software in the system.
Enhance personal awareness: The most important factor and the weakest link in the success of any security solution is the human element. Users need to increase their awareness of the latest hacking exploitation methods, observe the social engineering signs used by hackers, and promptly detect and avoid potential cybersecurity risks.
