Skip to main content
Mallory
Back to threat actors
🇺🇦 UA1 malware family

YouTubeTA

Also known asYouTubeTA

YouTubeTA (short for “YouTube Threat Actor”) is a StealC malware-as-a-service operator/customer profiled by CyberArk Labs in 2025. The actor was observed using StealC infostealer campaigns with build IDs including “YouTube,” “YouTube2,” and “YouTubeNew.” Reporting indicates the actor used YouTube-themed distribution, likely hijacking older legitimate YouTube channels with established subscribers using compromised credentials and planting malicious links. Victim screenshots associated with the actor’s StealC infrastructure showed users searching YouTube for cracked Adobe Photoshop and Adobe After Effects, and some observed activity suggested use of ClickFix-like fake CAPTCHA social engineering. Panel data indicated the operation maintained over 5,000 victim logs containing roughly 390,000 stolen passwords and more than 30 million stolen cookies. The actor’s panel configuration included markers for studio.youtube.com, consistent with interest in hijacking YouTube creator accounts. CyberArk assessed YouTubeTA was likely a single operator because the panel showed only one user (“Admin”) and fingerprinting was consistent across sessions. Observed fingerprints indicated use of an Apple Pro/M3-based device, English and Russian language support, and a GMT+0300 time zone. In mid-July 2025, a non-VPN panel access event exposed an IP associated with Ukrainian ISP TRK Cable TV, supporting only a limited attribution hypothesis of an Eastern European, likely Ukrainian-linked operator. Alias: YouTubeTA.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Media & Entertainment

Where they're from

Attributed origin per open-source reporting.

  • UA
MITRE ATT&CK

Tradecraft

9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics14 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.008
Malvertising
T1586
Compromise Accounts
T1586.002
Email Accounts
TA0001
Initial Access
1 technique
T1078
Valid Accounts
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.007×2
JavaScript
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0006
Credential Access
2 techniques
T1539×2
Steal Web Session Cookie
T1555×2
Credentials from Password Stores
TA0009
Collection
1 technique
T1113
Screen Capture
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
StealC"In the case of StealC... StealC is an infostealer malware that has been circulating since early 2023, sold under a Malware-as-a-Service (MaaS) model and marketed to threat actors seeking to steal cookies, passwords, and other sensitive data from infected computers."3Mar 18, 2026
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
the hacker newsNews
Jan 19, 2026
Security Bug in StealC Malware Panel Let Researchers Spy on Threat Actor Operations

A StealC MaaS customer that distributes StealC via YouTube by promoting cracked software (e.g., Adobe Photoshop/After Effects), likely hijacking legitimate YouTube accounts to create a self-propagating distribution loop; also uses fake CAPTCHA lures to deliver the stealer.

Read more
cyber security newsNews
Jan 17, 2026
Researchers Gain Access to StealC Malware Command-and-Control Systems

A StealC operator involved in credential theft and cookie theft, apparently using compromised YouTube channels and stolen studio.youtube.com credentials to distribute StealC and expand malware distribution.

Read more
bleeping computerNews
Jan 16, 2026
StealC hackers hacked as researchers hijack malware control panels

A StealC MaaS customer/operator running malware distribution campaigns via hijacked YouTube channels, using compromised credentials and malicious links to infect victims and steal credentials/cookies at scale.

Read more
cyberark blogNews
Jan 15, 2026
UNO reverse card: stealing cookies from cookie stealers

Single StealC MaaS operator running campaigns that abuse/hijack YouTube accounts and distribute StealC via YouTube content (e.g., cracked Adobe software lures), stealing credentials and cookies from victims and highlighting YouTube creator credentials (studio.youtube.com) for account takeover.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping9

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.