YouTube Ghost Network: 3,000 Fake Videos Used to Spread Malware
Amid the declining effectiveness of traditional malware delivery channels, cybercriminals are increasingly turning to platforms never intended for such purposes. The Check Point Research team has uncovered a vast, distributed network of malicious YouTube accounts, dubbed the YouTube Ghost Network. This ecosystem functions as a fully fledged malware distribution infrastructure, leveraging fake and compromised accounts to upload videos, post links, and generate fabricated audience engagement.
The investigation identified over 3,000 videos spreading malicious software disguised as cracked games or pirated versions of popular applications. The most frequently observed were fake installers for Adobe Photoshop and FL Studio, with one video amassing nearly 300,000 views. Researchers noted that the network has been active since 2021, but in 2025, the volume of uploaded malicious videos tripled compared to previous years — a clear sign of the campaign’s escalating scale and effectiveness.
The network operates on a role-based model. Accounts are divided into three categories: some upload videos containing malicious links, others post passwords and archive files in the Community tab, while a third group bolsters credibility by commenting on and liking malicious content. The embedded links often redirect users to third-party file-sharing sites or phishing pages masquerading as legitimate services. Shortened URLs and password-protected archives are commonly employed to evade automated security scans.
Among the detected malware families, information stealers dominate—malware designed to harvest credentials and personal data. Until spring 2025, Lumma Stealer was the most prevalent, but following its temporary shutdown, the focus shifted to Rhadamanthys, whose latest variants continue to be distributed under the guise of popular applications. One example cited by researchers involves a YouTube account with tens of thousands of subscribers, used to propagate fake copies of Adobe Photoshop and Premiere Pro, exhibiting an exceptionally low detection rate by antivirus software.
A defining feature of the Ghost Network is its resilience to takedowns. Even when individual accounts are removed, new ones swiftly replace them, preserving the network’s functionality. Frequent command-and-control server rotations, regular malware file updates, and the use of numerous simultaneous distribution channels make these campaigns remarkably durable and difficult to eradicate.
According to the report’s authors, such operations exploit psychological triggers of trust—from positive user comments to step-by-step “installation” guides instructing victims to temporarily disable antivirus protection. The primary targets remain gamers seeking cheats and users looking for pirated software, particularly fans of Roblox and Adobe products such as Photoshop, Lightroom, and Premiere.
The investigation has already led to the removal of thousands of malicious videos, yet the researchers emphasize that the resilience of such networks demands continuous vigilance and collaboration among cybersecurity analysts, platforms, and law enforcement agencies. Beyond technical countermeasures, raising public awareness about the dangers of downloading software from unofficial sources remains a crucial defense.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
