YouTube, the most popular and visited platform for entertainment, education, and tutorials, has recently become a target of a new malware distribution network known as ‘Ghost Network.’ Check Point Research has uncovered more than 3,000 entries on YouTube that have been spreading information-stealing malware. These videos are disguised as free software and game hacks, tricking users into accessing them and allowing attackers to steal sensitive data. The videos have been crafted to appear legitimate, featuring fake comments, likes, and community engagement that mimics a genuine platform.
The network’s operation has been active since 2021, with Check Point noting a significant increase in activity in 2025. The hackers utilize stolen accounts and fake social proof to manipulate users into engaging with these malicious videos. When users click on the links shared in these videos, they are often directed to file-sharing services that host password-protected archives. These archives are designed to avoid detection by antivirus tools and often prompt users to disable Windows Defender before installation, leaving their systems vulnerable to malware.
Check Point’s investigation revealed that the majority of the attacks deliver malware such as Lumma Stealer, Rhadamanthys, StealC, and RedLine. These programs are capable of stealing passwords, browser data, and other sensitive information, which is then sent to the attacker’s command and control servers. The network’s structure is highly modular and role-based; each compromised YouTube account has a specific function, whether it’s uploading malware, posting download links, or boosting credibility through comments and likes. This modularity allows the network to remain operational even after targeted take-downs on YouTube.
Two major campaigns have been identified by Check Point. The first involved a channel with nearly 10,000 subscribers, where the attack targeted users looking for fake cryptocurrency-related content. The channel used phishing pages on Google Sites to distribute malicious archives, which often instructed users to temporarily disable Windows Defender, a red flag for malware. The second campaign, which involved a larger channel with 129,000 subscribers, offered cracked versions of Adobe software products and other tools. The attack was successful in tricking users into downloading the malware, which was hidden within a password-protected archive.
Even if users never complete the installation, they can still be at risk. Visiting the phishing or file-hosting sites may expose them to malicious scripts or credential theft prompts, potentially leading to data breaches. Check Point researchers emphasized that the Ghost Network thrives on user curiosity and trust, exploiting the desire for free software and game hacks to distribute malware. To protect against these threats, users are advised to install antivirus software, be cautious about clicking suspicious links, and avoid disabling their security programs. Additionally, ensuring that all systems are up to date and implementing strong password practices are essential steps in securing one’s digital presence.