YouTube removes over 3,000 videos linked to major malware operation

YouTube has removed more than 3,000 videos that were part of a large-scale malware distribution network operating through its platform, according to a new report by The Times of India citing findings from Check Point Research.

The operation, dubbed the YouTube Ghost Network, relied on a coordinated web of fake and compromised accounts to spread malicious software disguised as legitimate downloads. The network primarily distributed infostealers such as Rhadamanthys and Lumma, often embedded within tutorial-style videos offering cracked software, free tools, or gaming cheats.

Check Point Research uncovered the campaign following a year-long investigation and subsequently reported thousands of malicious videos to Google, which led to their removal and disrupted one of YouTube’s most persistent malware channels.

According to the researchers, the Ghost Network was not a collection of random uploads but a highly organised system designed to appear credible and trustworthy. Different sets of accounts played specific roles — some uploaded tutorial-style videos containing links to malware, others posted community updates with passwords and refreshed links, while a third group interacted with content through positive comments and likes to boost authenticity.

This structure made the network resilient, allowing it to regenerate quickly even after YouTube took down certain channels. The malicious campaigns often used cracked or pirated versions of popular software such as Adobe Photoshop, FL Studio, Microsoft Office, and game cheats for titles like Roblox as bait.

Victims were directed to download files from platforms including Dropbox, Google Drive, or MediaFire and were often instructed to disable Windows Defender before installation. These files, however, contained malware designed to steal login credentials, cryptocurrency wallets, and system information. The stolen data was sent to remote servers that frequently changed locations to avoid detection.

One channel with over 129,000 subscribers and nearly 300,000 views shared a fake cracked version of Adobe Photoshop, while another targeted cryptocurrency traders by directing them to phishing pages on Google Sites distributing the Rhadamanthys Stealer.

Despite YouTube’s removals, the attackers continually refreshed their links and updated malware variants, keeping parts of the infection chain alive.

Check Point Research said it collaborated with Google to take down more than 3,000 malicious videos, significantly reducing the network’s reach and impact. The firm added that this operation highlights how social media platforms continue to be exploited by cybercriminals for large-scale malware distribution campaigns.