More than 3,000 malicious YouTube videos were used to distribute infostealer malware, according to a new report detailing the operation. Dubbed the “YouTube Ghost Network” by Check Point Research, the large-scale malware distribution operation used fake and compromised YouTube accounts to distribute infostealers like Rhadamanthys and Lumma, the report said. Most of the videos have now been removed, but the malware operation has been active at least since 2021. Game hacks and cheats and software cracks and piracy were the most targeted categories. “It is important to emphasize that the use of cracked software is illegal and that such versions frequently contain hidden malware,” Check Point said. The most viewed malicious videos targeted Adobe Photoshop, with 293,000 views, and FL Studio, with 147,000 views.

Compromised YouTube Accounts Used to Spread Infostealer Malware

Much of the YouTube Ghost Network consists of compromised YouTube accounts that are assigned specific operational roles, such as uploading malicious videos or liking and commenting to create a false sense of trust in a compromised account. “This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation,” the report said. The most targeted game from the “Game Hacks/Cheats” category was Roblox, with 380 million monthly active users and about 111.8 million daily active users. In the “Software Cracks/Piracy” category, Adobe products are the main targets, led by Photoshop and Lightroom. External links in the video posts typically redirect users to file-sharing services such as MediaFire, Dropbox, or Google Drive, or to phishing pages hosted on platforms like Google Sites, Blogspot, or Telegraph (telegra.ph). Those pages then contain links to download the malicious software, and shortened URLs are often used to hide the real destination of the external link. The description of the videos follows a typical structure, with a download link and shared password. Step-by-step instructions often advise users to temporarily disable Windows Defender to avoid “a false alert.” “Don’t worry – the archive is clean,” assures one post after telling potential victims to temporarily disable Windows Defender. “Defender may trigger a false alert due to the way Setup.exe works with installations.” In most cases, the malware distributed is an infostealer. Lumma was initially the most distributed malware before its disruption, followed by Rhadamanthys, and the StealC and Redline infostealers have also been observed.

Compromised YouTube Accounts Distributed Malicious Pirated Photoshop

The report detailed two compromised YouTube channels and accounts. The YouTube channel @Sound_Writer, with 9,690 subscribers, published videos that were mainly focused on cryptocurrency software and gaming. “Our analysis indicates that this account has been compromised for over a year, as evidenced by the appearance of malicious videos that differ significantly from the channel’s previous content,” Check Point said. The account @Afonesio1, with approximately 129,000 subscribers, was compromised between December 3, 2024, and January 5, 2025, and has since uploaded four videos to distribute malware. One of the account’s most viewed videos, with 291,155 views and 54 positive comments, “was used to lure unsuspecting viewers into downloading and executing a cracked version of Adobe Photoshop.” Within the video’s description was a community message link and the password required to decompress the password-protected archive. The post “received approximately 1,200 likes and numerous positive comments praising the effectiveness of the software solution,” Check Point said. The shortened link in the post redirected users to Dropbox, where the file could be downloaded The archive contained a file named Adobe.Photoshop.2024.v25.1.0.120.exe, which is a cracked version of Adobe Photoshop. “It remains unclear whether the positive comments originate from real users who inadvertently infected themselves or from ghost accounts promoting the malicious software with AI comments,” the report said. “The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” Check Point concluded. “While email phishing remains a well-known and persistent threat, our research reveals that adversaries are increasingly shifting toward more sophisticated, platform-based strategies, most notably, the deployment of Ghost Networks. These networks leverage the trust inherent in legitimate accounts and the engagement mechanisms of popular platforms to orchestrate large-scale, persistent, and highly effective malware campaigns.”

The prolific threat actors behind the Lumma Stealer malware have been slowed by an underground doxxing campaign in recent months. Coordinated law enforcement action earlier this year didn’t do much to slow down the infostealer’s spread, but a recent doxxing campaign appears to have had an impact, according to researchers at Trend Micro. “In September 2025, we noted a striking decline in new command and control infrastructure activity associated with Lummastealer ... as well as a significant reduction in the number of endpoints targeted by this notorious malware,” threat analyst Junestherry Dela Cruz wrote in a recent post. Fueling the drop has been an underground exposure campaign targeting a key administrator, developer and other members of the group, which Trend tracks as “Water Kurita.”

Lumma Stealer Doxxing Campaign Began in August

The Lumma Stealer doxxing campaign began in late August and continued into October, and on September 17, Lumma Stealer’s Telegram accounts were also compromised. “Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications,” Dela Cruz wrote. “This development is pivotal, marking a substantial shake-up in one of the most prominent information stealer malware operations of the year. ... The exposure of operator identities and infrastructure details, regardless of their accuracy, could have lasting repercussions on Lummastealer’s viability, customer trust, and the broader underground ecosystem.” The disclosures included highly sensitive details of five alleged Lumma Stealer operators, such as passport numbers, bank account information, email addresses, and links to online and social media profiles, and were leaked on a website called "Lumma Rats." While the campaign may have come from a rival, Dela Cruz said “the campaign’s consistency and depth suggest insider knowledge or access to compromised accounts and databases.” “The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients,” Dela Cruz wrote. While the researcher noted that the accuracy of the doxed information hasn’t been verified, the accompanying decline in Lumma Stealer activity suggests that the group “has been severely affected—whether through loss of key personnel, erosion of trust, or fear of further exposure.”

Vidar, StealC Gain from Lumma Stealer’s Decline

Lumma Stealer’s decline has been a boon for rival infostealers like Vidar and StealC, Dela Cruz noted, “with many users reporting migrations to these platforms due to Lumma Stealer’s instability and loss of support.” Lumma’s decline has also hit pay-per-install (PPI) services like Amadey that are widely used to deliver infostealer payloads, and rival malware developers have stepped up their marketing efforts, “fueling rapid innovation and intensifying competition among MaaS [Malware as a Service] providers, raising the likelihood of new, stealthier infostealer variants entering the market,” Dela Cruz said. According to Cyble dark web data, Vidar and Redline are the infostealers most rivaling Lumma in volume on dark web marketplaces selling stolen credentials, with StealC, Acreed, Risepro, Rhadamanthys and Metastealer among other stealer logs commonly seen on the dark web. As for Lumma Stealer, Dela Cruz noted that being a top cybercrime group isn’t exactly a secure - pardon the pun - position to be in, as RansomHub found out earlier this year. “[B]eing number one means facing scrutiny and attacks from both defenders and competitors alike,” the researcher noted.