Vectored Overloading: New “Ghost Network” Hijacks YouTube to Deploy Stealthy GachiLoader
Check Point researchers have uncovered a new campaign known as the so-called YouTube Ghost Network—a web of hijacked YouTube accounts used to distribute malware disguised as game cheats and pirated software. At the heart of the operation is an unusual Node.js–based loader and a previously undocumented Windows injection technique that allows malicious code to masquerade as legitimate system libraries.
The infection chain follows a familiar pattern. Attackers take over YouTube accounts and publish videos promoting cheats and “cracks.” In the video descriptions, viewers are urged to download an archive allegedly containing the software, are given a password, and are strongly advised to disable Windows Defender. According to the researchers, more than a hundred such videos were identified, amassing roughly 220,000 views. The campaign began as early as December 2024 and persisted for over nine months, until some of the videos were removed following reports to YouTube. Even so, the operators continue to upload new content via other compromised accounts.
Delivery of the main payload relies on a custom loader dubbed GachiLoader. Written in JavaScript and packaged into an executable using the nexe project—which embeds the Node.js runtime—the loader appears as a large file, sometimes reaching 90 MB. Its size helps it blend in, resembling a conventional installer. Internally, however, the code is heavily obfuscated and packed with checks designed to detect sandboxes and virtual machines: it inspects available memory, CPU core count, user and host names, running processes, and even disk and GPU models via WMI.
If the loader determines it is running in an analysis environment, it simply stalls, endlessly issuing HTTP requests to legitimate sites such as LinkedIn or Twitter. On a real system, GachiLoader attempts to elevate privileges through a standard UAC prompt—often successfully, as the user believes they are installing legitimate software. Once elevated, the malware weakens Windows defenses by adding exclusions for critical directories and file extensions.
The subsequent stages vary by loader variant. In one scenario, GachiLoader contacts a command-and-control server, transmits system information, and receives a link to the next stage: an executable containing the Rhadamanthys infostealer, disguised as popular applications like KeePass or Google Drive. In another variant, the loader drops an additional module, kidkadi.node, which embeds the final malicious payload.
This module proved particularly noteworthy. It implements a novel PE injection technique the researchers call Vectored Overloading, which abuses Windows’ Vectored Exception Handling mechanism. In essence, the loader creates an in-memory image of a malicious executable “bound” to a legitimate DLL, then uses hardware breakpoints and exception interception to hijack system function execution. Windows believes it is loading a benign library—such as amsi.dll—while in reality it executes malicious code directly from memory. This approach complicates detection and partially delegates initialization work to the Windows system loader itself.
According to the report’s authors, the campaign vividly illustrates how threat actors are increasingly leveraging unconventional platforms like Node.js and delving deep into Windows internals to evade defenses. For users, the lesson remains unchanged: offers to download “free” cheats, trainers, and cracked software continue to be among the most reliable vectors for infection, and the implicit trust placed in popular platforms like YouTube is being actively exploited for criminal ends.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
