Researchers Uncover Massive YouTube Scam Network

Security researchers have exposed a sprawling YouTube scam that weaponizes tutorial-style videos to push malware at scale. Branded the YouTube Ghost Network by Check Point Research, the operation spans more than 3,000 videos and has been described by investigators as one of the largest malware campaigns seen on the platform.

How the YouTube Ghost Network Operates at Scale

The lure is simple and familiar: videos promising cracked software and game cheats. Targets include popular names like Adobe Photoshop, FL Studio, and Microsoft Office, alongside hacks for games such as Roblox. Each video walks viewers through “easy” steps, then points them to a password-protected archive hosted on services like Google Drive or Dropbox, with instructions to disable Microsoft Defender before extracting.

That move is the tell. Disabling security tools is framed as a workaround for “false positives” on pirated software, but it clears the way for malware. Check Point’s analysis ties the payloads to well-known information stealers, including Rhadamanthys and Lumma, which can siphon browser passwords, cookies, session tokens, system fingerprints, and even crypto wallet data. Multiple security labs, from Kaspersky to Recorded Future, have documented how these families monetize stolen credentials at scale through underground markets.

The distribution backbone is a mix of fake and hijacked YouTube accounts that upload videos, post archive passwords, and seed comments to make the content appear trustworthy. In one example cited by researchers, a compromised channel with roughly 129,000 subscribers pushed a “free Photoshop” video that amassed about 291,000 views. Fraudulent ad buys have also steered viewers to these videos, a malvertising tactic that continues to challenge platforms and advertisers.

Why Takedowns Are Hard for Platforms to Sustain

The Ghost Network is modular by design. There are uploaders, commenters, link hosts, and disposable domains, all of which can be rotated quickly. When a channel is banned, another pops up; when a link dies, mirrors appear. Check Point previously profiled a similar playbook on GitHub (the so-called Stargazers Ghost Network), and investigators have observed related tactics on TikTok, where “Clickfix” tricks coax users into running malicious commands themselves. Resilience through redundancy is the point.

Red Flags You Can Spot Immediately on YouTube

• Requests that you disable antivirus or SmartScreen.
• Prompts to download a password-protected archive.
• Instructions to run installers as administrator.
• Channels with sparse histories or sudden pivots to “free full version” content.
• Comment sections flooded with “works 100%” praise.
• Pinned passwords, shortened links, or Telegram invites.
• Mismatched file names, such as an installer far too small for the real application.

How to Protect Yourself on YouTube from Malware

• Do not download cracked software; get apps from official sites or trusted stores.
• Keep Microsoft Defender and reputation-based protection enabled.
• Turn on Tamper Protection and apply updates promptly.
• Use a standard (non-admin) account for daily use.
• Consider application control features like Smart App Control on Windows or an allowlist approach for software installs.

• Before opening any file, scan it with a reputable service such as VirusTotal.
• Check the digital signature when available.
• Verify a channel’s authenticity: look for a long posting history, consistent content, and links to official websites.
• When in doubt, test unknown files in a sandbox or virtual machine you can reset.
• Password managers, passkeys, and 2FA can limit damage if credentials are ever exposed.

If You Already Clicked a Suspicious YouTube Link

• Disconnect from the internet.
• Run a full system scan with Microsoft Defender or another trusted endpoint tool.
• Remove suspicious startup items and browser extensions.
• Clear cookies and sessions.
• Change passwords for email, banking, and social accounts.
• Enable multifactor authentication everywhere.
• Revoke active sessions in Google, Microsoft, and other key services.
• If you handled crypto keys, migrate funds to new wallets.
• In cases of persistent compromise, back up essential data and perform a clean OS reinstall.

What Platforms And Advertisers Should Do

• Throttle reach for brand-new channels pushing executable downloads.
• Flag common social-engineering phrases (such as instructions to disable security).
• Scan archive contents at the edge.
• Harden ad screening to blunt malvertising that funnels viewers to these traps.
• Heed guidance from organizations such as Google’s Threat Analysis Group and CISA: better detection plus rapid user reporting creates the fastest path to disruption.

The Bottom Line on YouTube Ghost Network Scams

Check Point has reported the Ghost Network to Google and many videos have been removed, but copycats and replacements are inevitable. Treat “free” software pitches on video platforms as a security hazard, assume password-protected archives hide trouble, and never disable your defenses for a download. The simplest strategy is still the most effective: stay skeptical, stay updated, and stay away from cracks and cheats.