Google specialists removed from YouTube more than 3,000 videos that distributed infostealers disguised as cracked software and game cheats. Check Point researchers dubbed this campaign YouTube Ghost Network and report that it has been active since 2021, surging in 2025, when the number of malicious videos tripled.
According to researchers, the attackers behind these campaigns hijacked legitimate YouTube accounts and, on their behalf, posted tutorials promising free pirated versions of Photoshop, FL Studio, as well as cheats and hacks for Roblox. Instead of the promised software, victims received the Rhadamanthys and Lumma stealers, which exfiltrated credentials and cryptocurrency wallets.
The YouTube Ghost Network used thousands of fake and compromised accounts acting in coordination. For example, some accounts posted videos with malicious links, others inflated likes and comments to create the illusion of activity, and still others shared links to such videos via YouTube’s Community feature.
“This campaign exploited trust signals (views, likes, comments) to make malicious content appear safe,” say Check Point specialists. “What looks like a helpful tutorial turned out to be a carefully engineered cyber trap.”
Users who fell for the scammers’ bait were instructed to disable their antivirus and download an archive from Dropbox, Google Drive, or MediaFire. Inside, instead of the expected software, there was malware that, once launched, stole the victim’s data and sent it to the hackers’ servers.
Researchers report that one compromised channel with 129,000 subscribers posted a video promoting a cracked version of Adobe Photoshop, which garnered nearly 300,000 views and over 1,000 likes. Another targeted crypto users, redirecting them to phishing pages on Google Sites.
The most popular lures used by the YouTube Ghost Network were Roblox cheats, and videos about cracked versions of Microsoft Office, Lightroom, and Adobe tools were also popular.
It is noted that the operators of this campaign regularly changed payloads and updated links, staying ahead of the removal of videos and accounts, and creating a resilient ecosystem capable of quickly recovering in the event of account suspensions.
The network’s modular design with uploaders, commenters, and link distributors allowed the YouTube Ghost Network to operate for years. Check Point notes similarities between this campaign and the Stargazers Ghost Network, discovered on GitHub last year. The platform uses thousands of fake developer accounts to host malicious repositories.
“In today’s threat landscape, a popular video can be just as dangerous as a phishing email,” experts say. “This underscores that even trusted platforms are not immune to abuse.”
Check Point analysts were unable to determine who is behind this campaign. Apparently, the thousands of malicious videos are the work of financially motivated cybercriminals; however, it is noted that this tactic could also interest “government” hackers and be used for attacks against specific targets.