YouTube Ghost Network

YouTube Ghost Network is a malware distribution operation identified by Check Point Research that abuses compromised YouTube accounts and bot activity to spread malware through malicious links placed in video descriptions. Check Point reported the operation has been active since 2021, identified at least 3,000 malicious YouTube videos tied to it, and assessed that its content output tripled in 2025. The operation prefers compromising established YouTube accounts rather than creating new ones, and organizes accounts into roles including "video accounts," "post accounts," and "interact accounts." Video accounts upload phishing videos and direct viewers to purported software downloads, post accounts publish messages and share external download links and passwords, and interact accounts add likes and positive comments to make the content appear legitimate. The campaign relies on social engineering and user self-infection, casting a wide net with lures centered primarily on video game cheats and hacks, followed by software cracks. Roblox is specifically identified as the most targeted game, while Adobe Photoshop and Adobe Lightroom are identified as the most targeted products in the software-crack category. Malware families observed in the operation include infostealers such as Lumma and Rhadamanthys, as well as StealC, RedLine, Odebug, other Phemedrone variants, and NodeJS-based loaders and downloaders. The content also links GachiLoader to a campaign associated with the YouTube Ghost Network. Check Point assessed the operation as evolving toward stealthier and more sophisticated malware distribution, with potential future tailoring of lures to specific industries or enterprise software.