A sophisticated and coordinated malware distribution operation, dubbed the “YouTube Ghost Network” by Check Point Research, has been actively exploiting YouTube’s features to promote malicious content and distribute information-stealing malware. Over 3,000 malicious videos associated with this network have been identified and reported, significantly reducing the immediate threat to users. This campaign highlights threat actors’ evolving strategies, notably a shift in malware preference following the disruption of the Lumma infostealer.
Active since at least 2021, the network has seen a substantial increase in activity, with the creation of malicious videos tripling in 2025 compared to previous years according to Check Point Research. The operation primarily targets individuals seeking “Game Hacks/Cheats” and “Software Cracks/Piracy,” categories known to attract a large number of potential victims. The most frequently distributed malware within this network consists of information-stealers (infostealers), initially Lumma and subsequently Rhadamanthys, posing significant risks to user credentials and sensitive data.
The YouTube Ghost Network operates through a collection of often-compromised accounts, manipulating platform engagement mechanisms to disguise malicious activities. These accounts adopt specific roles to maintain operational continuity and facilitate stealthier distribution. “Video-accounts” upload phishing videos and include descriptions with links to purported software downloads. “Post-accounts” publish community messages and posts containing external download links and passwords for password-protected archives. Finally, “Interact-accounts” endorse malicious content by posting positive comments or liking videos and posts, thereby cultivating a false sense of trust among viewers as observed by researchers.
Malware is typically delivered via external links that redirect users to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on platforms like Google Sites, Blogspot, or Telegraph. Threat actors frequently employ shortened URLs to obscure the true destination of these links. Victims are often instructed to temporarily disable security software like Windows Defender during the purported installation process, making their systems more vulnerable to infection as detailed in the analysis. This tactic mirrors advanced evasion techniques seen in other malware campaigns, such as those discussed in our article on SleepyDuck Malware Redefines C2 Resilience with Ethereum Blockchain.
Prior to its disruption, the Lumma infostealer was the most frequently distributed malware within this network. Between March 16 and May 16, 2025, Europol, in collaboration with Microsoft, executed an operation that disrupted Lumma Stealer, which Europol described as “the world’s most significant infostealer threat” according to a Europol press release. This joint effort identified over 394,000 Windows computers globally infected by Lumma malware. The operation dismantled Lumma’s technical infrastructure, cutting off communications between the malicious tool and victims, and redirected more than 1,300 domains to Microsoft sinkholes.
The United States Department of Justice (DOJ) seized the Lumma control panel, and Microsoft collaborated with Japan’s Cybercrime Control Center (JC3) to suspend Lumma infrastructure in Japan Europol reported.
Following the disruption of Lumma, researchers observed a strategic shift in threat actor tactics, with Rhadamanthys becoming the preferred infostealer distributed through the YouTube Ghost Network Check Point Research noted. Campaigns observed include the distribution of Rhadamanthys v0.9.2 and instances where HijackLoader delivered the Rhadamanthys infostealer. These campaigns utilize frequent updates to both payloads and command-and-control (C2) infrastructure, often every three to four days, specifically to evade reputation-based detection mechanisms and prolong their effectiveness according to Check Point Research. This adaptability mirrors the evolving strategies employed by other cybercriminal groups, such as the Aisuru Botnet mentioned in our recent coverage, which is shifting to residential proxies for AI data harvesting: Aisuru Botnet Shifts to Residential Proxies for AI Data Harvesting.
The network’s targeting strategy focuses on content appealing to high-engagement user groups. For example, malicious videos targeting Adobe Photoshop garnered up to 293,000 views and 54 comments, while those targeting FL Studio accumulated 147,000 views the report indicates. While the “Game Hacks/Cheats” category contained a greater number of videos, the “Software Cracks/Piracy” category generated significantly higher view counts. It is important to note that the use of cracked software is illegal and often contains hidden malware.
The ongoing evolution of malware distribution methods, exemplified by the YouTube Ghost Network, underscores the adaptability of threat actors in bypassing conventional security defenses. Collaborative efforts between security researchers, platform providers, and law enforcement, combined with continuous user education regarding unofficial software sources, remain essential to mitigate these evolving threats.