A long-running cyber campaign called the YouTube Ghost Network, uncovered by Check Point researchers, has used thousands of hijacked YouTube accounts to distribute malware disguised as game cheats and pirated software. Active since 2021, the operation has uploaded over 3,000 malicious videos, with activity tripling in 2025 before Google intervened to remove most of them.
The attackers structured the operation into three account roles “video-accounts” that post infected tutorials, “post-accounts” that share external malicious links, and “interact-accounts” that like and comment to create fake engagement and credibility. Compromised channels, some with over 100,000 subscribers, were used to lure users into downloading trojanized files hosted on services like Dropbox, Google Drive, and MediaFire.
These videos delivered info-stealing malware families such as Rhadamanthys, Lumma, StealC, RedLine, and Phemedrone, often concealed behind shortened URLs. The campaign demonstrates how threat actors weaponize trusted social platforms to maintain continuity and scale even when individual accounts are banned.
Check Point warned that these “Ghost Networks” represent a major step forward in platform-based malware distribution, exploiting audience trust and engagement metrics to make cyberattacks appear convincing and safe.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
