Google specialists removed over 3,000 videos from YouTube that spread hidden information disguised as hacked software and video game cheats.
The YouTube Ghost Network: How Check Point Research Helped Take Down 3,000 Malicious Videos Spreading Malware
A sophisticated malware distribution campaign leveraging over 3,000 malicious YouTube videos has been uncovered, targeting users seeking pirated software and game cheats.
The YouTube Ghost Network represents a coordinated ecosystem of compromised accounts that exploit platform features to distribute information-stealing malware while creating false trust through fabricated engagement.
Active since 2021, the network has dramatically escalated operations in 2025, with malicious video production tripling compared to previous years.
The campaign primarily focuses on two high-traffic categories: game modifications and cracked software applications.
The most viewed malicious video advertises Adobe Photoshop, accumulating 293,000 views and 54 comments, while another promoting FL Studio reached 147,000 views.
These videos direct victims to file-sharing platforms where password-protected archives containing malware await download. Common passwords include “1337” and “2025”, with instructions consistently advising users to disable Windows Defender before execution.
Check Point researchers identified the network’s operational structure, revealing three distinct account roles working in coordination.
Video-accounts upload deceptive content with download links embedded in descriptions or pinned comments.
Post-accounts maintain community messages containing external links and archive passwords, frequently updating them to evade detection.
Interact-accounts generate artificial legitimacy by posting encouraging comments and likes, manipulating victims into believing the software functions as advertised.
The distributed malware consists primarily of infostealers, with Lumma dominating until its disruption between March and May 2025.
