Full Report
Check Point helps exorcise vast 'Ghost Network' that used fake tutorials to push infostealers Google has taken down thousands of YouTube videos that were quietly spreading password-stealing malware disguised as cracked software and game cheats.…
Analysis Summary
# Google and Check Point nuke massive YouTube malware network
## Key Points
- Google has taken down over 3,000 malicious YouTube videos spreading password-stealing malware disguised as cracked software.
- The "YouTube Ghost Network" relied on fake and compromised accounts to make malicious content look legitimate, using trust signals like views, likes, and comments.
- Threat actors used the network to push infostealers such as Rhadamanthys and exploit gaming cheats, particularly for Roblox.
- The campaign's surge in 2025 marks a shift in how malware is being distributed, with attackers exploiting mainstream platforms' social credibility.
## Threat Actors
- Attribution not available; primary beneficiaries appear to be cybercriminals motivated by profit.
## TTPs
- Use of fake and compromised accounts to create trust signals.
- Utilization of YouTube's engagement tools (views, likes, comments) to make malicious content seem safe.
- Rotation of payloads and update of download links to outpace takedowns.
## Affected Systems
- YouTube
- Roblox
## Mitigations
- Regularly monitor YouTube for suspicious activity.
- Ensure antivirus software is enabled.
- Be cautious of videos promising cracked software or gaming cheats, as they may be malware-laced.
## Conclusion
The "YouTube Ghost Network" operation highlights the evolving threat landscape, where attackers are exploiting mainstream platforms' social credibility to bypass user skepticism. This takedown demonstrates that trusted platforms can be weaponized, but with intelligence and partnerships, pushback is possible.