More than 3,000 YouTube videos offer malware disguised as free software
NEWNow you can listen to News articles!
YouTube is possibly the most popular and visited entertainment, education and tutorial platform. There’s a video for everything on YouTube, whether you want to learn how to cook, ride a bike, or need help with work or school. But a recent Check Point investigation reveals a darker side: an extensive malware distribution network silently operating within the platform. Hackers are using compromised accounts, fake interactions, and clever social engineering to spread information-stealing malware disguised as more than 3,000 software cracks and game hacking videos.
Most victims start by searching for free or cracked software, cheat tools or game hacks, which is the root of the infection chain. This curiosity about “free” software opens the door to the traps of Ghost Network.
META ACCOUNT SUSPENSION SCAM HIDDEN MALWARE FILEFIX
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CyberGuy.com information sheet.
Cybercriminals are exploiting YouTube’s massive reach by disguising malware within fake “how-to” and “free software” videos. (Kurt “CyberGuy” Knutsson)
All about the YouTube ghost network
According to Check Point Research, the YouTube Ghost Network has been active since 2021, and its activity tripled in 2025. It is based on a simple but effective formula, combining social manipulation with technical stealth. The network’s primary targets are people searching for “game cheats/cheats” and “software cracks/piracy.”
Researchers found that these videos often feature positive comments, likes, and community posts from fake or compromised accounts. This coordinated engagement gives potential victims a false sense of security.
Fake social proof and fabricated likes, comments, and subscriber activity play a key psychological role. They trick viewers into believing the content is legitimate and widely trusted, allowing the operation to persist even when YouTube removes individual videos or channels. The modular structure of the network and the constant replacement of banned accounts mean that deletions are only effective temporarily.
Once a user clicks on the links provided, they are typically directed to file-sharing services or phishing sites hosted on Google Sites, MediaFire, Dropbox, or similar platforms. Linked files are usually password-protected files, making them difficult for antivirus tools to scan. Victims are then prompted to disable Windows Defender before installation, effectively disabling their own protection before running the malware.
Check Point found that most of these attacks generate information-stealing malware, such as Lumma Stealer, Rhadamanthys, StealC, and RedLine. These programs collect passwords, browser data, and other sensitive information and send it back to the attacker’s command and control servers.
What makes the network particularly resilient is its role-based structure. Each compromised YouTube account serves a function; some upload malicious videos, others post download links, and a third group increases credibility by commenting and liking the content. When an account is banned, it is quickly replaced, allowing the operation to continue virtually uninterrupted.
A single click on a malicious link can disable your defenses and install information-stealing malware in seconds. (Kurt “CyberGuy” Knutsson)
Inside malicious campaigns
Two important campaigns stood out in Check Point’s investigation. The first involved the information thief Rhadamanthys, spread through a compromised YouTube channel called @Sound_Writer, which had almost 10,000 subscribers.
The attackers uploaded fake cryptocurrency-related videos and used phishing pages on Google Sites to distribute malicious files. These pages instructed viewers to “temporarily disable Windows Defender,” assuring them that it was a fake alert. The files contained executable files that silently installed the Rhadamanthys malware, which connected to multiple control servers to extract stolen data.
The second campaign, involving HijackLoader and Rhadamanthys, leveraged a much larger channel, @Afonesio1, with around 129,000 subscribers. Here, attackers uploaded videos offering cracked versions of Adobe Photoshop, Premiere Pro, and FL Studio.
MICROSOFT SOUNDS THE ALARM AS HACKERS TURN THE TEAMS PLATFORM INTO ‘REAL-WORLD DANGERS’ FOR USERS
One of these videos garnered more than 291,000 views and dozens of glowing comments stating that the software worked perfectly. The malware was hidden inside a password-protected file linked through a community post. The installer used HijackLoader to remove the Rhadamanthys payload, which then connected to rotating monitoring servers every few days to avoid detection.
Even if you never complete the installation, you may still be at risk. Simply visiting phishing or file-hosting sites can expose you to malicious scripts or credential-stealing messages disguised as “verification” steps. Clicking on the wrong link can compromise your login details before the software is even installed.
Strong passwords, two-factor authentication, and regular security scans are your best defense against YouTube Ghost Network. (Cyberguy.com)
7 Steps You Can Take to Stay Safe from YouTube Ghost Network
Ghost Network succeeds by exploiting curiosity and trust. It disguises malware as “freeware” or “game cheats,” relying on users to click before they think. Protecting yourself means adopting habits that make it harder for attackers to fool you. Here are seven steps to stay safe:
1) Avoid Cracked Software and Fraudulent Downloads
Most infections start when people try to download pirated or modified programs. These files are usually hosted on unregulated file-sharing websites where anyone can upload malicious content. Even if a YouTube video looks polished or full of positive comments, that doesn’t mean it’s safe. Official software developers and game studios never distribute downloads through YouTube links or third-party sites.
In addition to being dangerous, downloading cracked software also poses legal risks. Piracy violates copyright laws and can have serious consequences, while providing cybercriminals with a perfect distribution channel for malware.
2) Use a powerful antivirus
Make sure you have a reliable antivirus solution installed and always running. Real-time protection can detect suspicious downloads and block harmful files before they cause any damage. Schedule regular system scans and keep your antivirus updated so it can recognize the latest threats.
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com
WHAT REALLY HAPPENS ON THE DARK WEB AND HOW TO STAY SAFE
3) Never disable your antivirus or Windows Defender
If a tutorial or installer tells you to disable your security software, that’s a red flag. Malware authors use this trick to avoid detection. There is no legitimate reason to disable protection, even temporarily. The moment a file asks you to, delete it immediately.
4) Be careful with YouTube links and download sources.
Always inspect links before clicking. Hover over them to check the destination and avoid shortened or redirected URLs that hide their true purpose. Downloads hosted on unknown domains or file sharing sites should be considered unsafe. If you need software, please get it directly from the official website or trusted open source communities.
5) Use a password manager and enable two-factor authentication (2FA)
lighting 2FA For important accounts it adds another layer of protection, ensuring that even if someone gets your password, they won’t be able to access your account. Malware often aims to steal saved passwords and browser data. Storing credentials in a password manager keeps them encrypted and separate from your browser, making them harder to steal. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse.
Next, check to see if your email has been exposed in previous breaches. Our number one password manager (see CyberGuy.com) includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at CyberGuy.com
6) Keep your operating system and applications updated
Software updates not only bring new features, they also fix security flaws that malware can exploit. Enable automatic updates for your system, browser, and commonly used applications. Staying up to date is one of the easiest ways to prevent infections.
7) Use a reliable data removal service
Even after securing your system, your personal information may already be circulating online due to previous breaches. A reliable data removal service can continually scan and request removal of your data from people search and broker sites, making it difficult for cybercriminals to exploit your exposed information.
While no service can guarantee complete removal of your data from the Internet, a data erasure service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information and It is available on the web by visiting CyberGuy.com
Get a free scan to find out if your personal information is already available on the web: CyberGuy.com
CLICK HERE TO DOWNLOAD THE News APP
Kurt’s Key Takeaway
Cybercriminals have evolved beyond traditional phishing and email scams. By exploiting a platform built on trust and commitment, they have created a scalable and self-sustaining system for malware distribution. Frequent file updates, password-protected payloads, and changing monitoring servers make these campaigns difficult for both YouTube and security providers to detect and shut down.
Do you think YouTube is doing enough to stop the distribution of malware on its platform? Let us know by writing to us at CyberGuy.com
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CyberGuy.com information sheet.
Copyright 2025 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.