The YouTube Ghost Network is a collection of malicious accounts operating on YouTube. These accounts take advantage of various platform features, such as videos, descriptions, posts (a lesser-known YouTube feature similar to Facebook post) and comments to promote malicious content and distribute malware, while creating a false sense of trust. The majority of the network consists of compromised YouTube accounts, which, once added, are assigned specific operational roles. This role-based structure enables stealthier distribution, as banned accounts can be rapidly replaced without disrupting the overall operation.
The description of such videos follows a typical “structure”, with a download link and password shared. Step-by-step instructions are often provided, commonly advising users to “temporarily” disable Windows Defender. In most cases, the malware distributed is an infostealer, designed to exfiltrate user information and credentials to a malicious command and control (C2) server.
One video, which has garnered around 10,000 views, advertises cryptocurrency software and instructs viewers to follow a link provided in the description. This link redirects users to a phishing page hosted on sites.google.com, created by the threat actor, which also shares the password for a password-protected archive containing the malicious payload.
During this campaign, the threat actor utilized two different platforms to host the same malicious file, providing redundancy and increasing stealth in case one instance was detected or reported. Another observed tactic is the upload of large files, which are often overlooked by automated scanning systems. Additionally, password-protected archives are used to evade inspection, as security solutions cannot decompress and analyze the contents without the password.
