Google nukes 3,000 YouTube videos that sowed malware disguised as cracked software
Summary
Google, working with researchers at Check Point, removed more than 3,000 YouTube videos that were distributing information‑stealing malware disguised as cracked software and game cheats. The operation, dubbed the “YouTube Ghost Network,” abused hijacked and fake accounts to publish polished tutorial videos promising free copies of Photoshop, FL Studio, Roblox cheats and more. Victims were urged to disable antivirus software and download archives from cloud hosts (Dropbox, Google Drive, MediaFire) that contained infostealers such as Rhadamanthys and Lumma. The campaign, active since 2021, surged in 2025 and relied on a modular ecosystem of uploaders, commenters and link distributors to appear legitimate and to reconstitute quickly after takedowns.
Key Points
- Check Point uncovered the “YouTube Ghost Network” that weaponised legitimate-looking tutorial videos to deliver infostealers.
- Over 3,000 malicious videos were removed after Check Point and Google collaborated on takedowns.
- Attackers used thousands of fake or compromised accounts to post videos, flood comments with praise, and share download links via community posts.
- Typical lures included cracked Adobe tools, Microsoft Office, Lightroom, and especially game cheats for platforms like Roblox.
- Victims were often told to disable antivirus and download archives from cloud storage; the payloads stole credentials, crypto wallets and system data.
- The network was modular and resilient: operators rotated payloads and links to evade enforcement and regenerate banned accounts quickly.
- Check Point has no conclusive attribution; the campaign appears profit‑driven but methods could be repurposed by more capable actors.
Author style
Punchy: this is a big, practical win — but also a reminder. The takedown matters because it exposes how social signals (likes, comments, views) are now being weaponised as a delivery vector for malware. Read the detail if you want to understand the tactics defenders must watch for.
Why should I read this?
Want to avoid getting your passwords or crypto nicked? This is basically a how‑not‑to guide: polished videos can be traps. If you or your users ever download ‘cracked’ apps or follow tutorial links with cloud downloads, pay attention — it explains the scam, how it evaded removal for years, and why a single click can be costly. We’ve read it so you don’t have to sift through the technical report.
Context and relevance
The story highlights an important trend: attackers are leveraging mainstream social platforms and engagement signals to lower user suspicion and scale malware distribution. As phishing and drive‑by downloads decline, socially credible content (videos, developer pages, community posts) becomes an attractive vector. Organisations and individuals should tighten user education, monitoring for credential theft and suspicious cloud download workflows, and treat popular content with healthy scepticism — especially anything promising pirated software or game cheats.