It has been noted that a network of YouTube accounts promotes videos that result in the download of malware. To date, the network has released over 3,000 malicious videos; since the beginning of the year, the number of these videos has tripled. The campaign uses hacked accounts to replace their content with "malicious" videos that focus on Roblox game cheats and pirated software.
Several of these videos have received between 147,000 and 293,000 views. As of right now, it's unclear whether all of these videos and compromised accounts are the product of a single threat actor or if other cybercriminals can rent access to a distribution-as-a-service (DaaS) in order to distribute their warez. The bulk of the network is made up of compromised YouTube accounts that are given particular operational roles after being added.
Lumma Stealer, Rhadamanthys Stealer, and StealC Stealer are a few of the malware families that are disseminated through the YouTube Ghost Network. According to Check Point, "we have no clear evidence that there is a single threat actor — there could be multiple actors who have adopted this method of operation." According to a statement from the company, "the ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors." It continued, "These networks orchestrate large-scale, persistent, and highly effective malware campaigns by leveraging the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms." "Adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks," the report stated. Check Point's response was added to the report after it was published on October 28,
2025.