A complicated malware distribution marketing campaign leveraging over 3,000 malicious YouTube movies has been uncovered, concentrating on customers searching for pirated software program and recreation cheats.
The YouTube Ghost Community represents a coordinated ecosystem of compromised accounts that exploit platform options to distribute information-stealing malware whereas creating false belief by way of fabricated engagement.
Lively since 2021, the community has dramatically escalated operations in 2025, with malicious video manufacturing tripling in comparison with earlier years.
The marketing campaign primarily focuses on two high-traffic classes: recreation modifications and cracked software program functions.
Probably the most seen malicious video advertises Adobe Photoshop, accumulating 293,000 views and 54 feedback, whereas one other selling FL Studio reached 147,000 views.
These movies direct victims to file-sharing platforms the place password-protected archives containing malware await obtain. Frequent passwords embody “1337” and “2025”, with directions constantly advising customers to disable Home windows Defender earlier than execution.
Test Level researchers recognized the community’s operational construction, revealing three distinct account roles working in coordination.
Video-accounts add misleading content material with obtain hyperlinks embedded in descriptions or pinned feedback.
Put up-accounts preserve group messages containing exterior hyperlinks and archive passwords, often updating them to evade detection.
Work together-accounts generate synthetic legitimacy by posting encouraging feedback and likes, manipulating victims into believing the software program features as marketed.
The distributed malware consists primarily of infostealers, with Lumma dominating till its disruption between March and Might 2025.
YouTube Ghost Community operation (Supply – Test Level)
Following this takedown, risk actors pivoted to Rhadamanthys as their most popular payload. The most recent Rhadamanthys variant (v0.9.2) communicates with command-and-control servers together with hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n, exfiltrating credentials and delicate consumer information.
Detection Evasion By way of Technical Sophistication
The marketing campaign employs a number of layers of evasion to bypass safety measures and preserve persistence.
Attackers host recordsdata on professional platforms akin to MediaFire, Dropbox, and Google Drive, exploiting consumer belief in these companies.
Massive archive recordsdata exceeding 189MB forestall automated virus scanning on Google Drive, whereas password safety blocks safety options from analyzing contents.
Shortened URLs conceal true locations, and phishing pages hosted on Google Websites additional legitimize the operation.
The malware infrastructure demonstrates fast adaptability, with actors updating payloads each three to 4 days and rotating command-and-control servers with every launch.
MSI installer recordsdata exhibit low detection charges, with current samples evading 57 of 63 safety distributors on VirusTotal.
Marketing campaign updates preserve timestamps indicating steady operation, with current variants compiled on September 21 and 24.
One analyzed archive contained HijackLoader because the preliminary payload, subsequently delivering Rhadamanthys with communication to hxxps://5.252.155[.]99/gateway/r2sh55wm.a56d3.
This short-lived construct technique prevents reputation-based blocking mechanisms from accumulating adequate information to determine threats.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
