A coordinated network of YouTube accounts has published more than 3,000 videos since 2021 that researchers say were used to promote links leading to malware downloads. Check Point researchers labelled the operation the YouTube Ghost Network and said the volume of such videos has tripled since the start of the year. Google removed a majority of the videos after the activity was reported.
According to the report, operators compromised legitimate channels and replaced their content with videos advertising pirated software and Roblox cheats to infect users searching for those items. Some malicious uploads drew large audiences, with individual videos collecting roughly 147,000 to 293,000 views. Eli Smadja, security research group manager at Check Point, said the campaign exploited engagement signals such as views, likes and comments to make malicious content appear trustworthy.
Researchers described a role-based structure that assigns specific functions to accounts: video-accounts that upload phishing videos and provide links, post-accounts that publish community messages containing external links, and interact-accounts that like and post encouraging comments to lend credibility. Antonis Terefos, a security researcher cited in the analysis, said the structure allows banned accounts to be replaced rapidly without disrupting the wider operation.
The reported campaign directed users from video descriptions, pinned comments or community posts to file-hosting services and to phishing pages that then hosted installers or downloaders, often obscured with URL shorteners. Check Point linked the activity to the distribution of multiple stealer families and Node.js-based loaders and identified specific compromised channels that were used to deliver loaders that in turn dropped other malware, including Rhadamanthys.
Check Point said the Ghost Network pattern reflects a broader trend of adversaries repurposing legitimate platforms and engagement mechanisms to scale malware distribution and urged users to be cautious when downloading software linked from videos or third-party sites.