Phish-Tube
YouTube is often informational, generally entertaining and is widely used for both. It’s simple to use, both as a viewer and an uploader, which is how it’s also become a hotbed of misinformation, deepfake generative-AI media and phishing campaigns.
Check Point Research has uncovered over 3,000 malicious videos linked to what is being called the YouTube Ghost Network, a malware distribution campaign. According to the report, the Ghost Network has been in operation since 2021, although this year has seen an exponential increase in uploads. The videos are usually promoted as gaming hacks and cracked software codes, two popular targets for social engineering, and unleash info-stealers into compromised accounts.
The Ghost Network operates on a threefold operational model: video uploaders, post publishers, and interaction boosters. The malicious videos are hosted by the uploader accounts; they are the front facing bait of the campaign, and are the first step to infection by instructing users to disable their Windows Defender before installing them. The post account publish ‘community updates’ that contain the links to the malware hosted on a secondary site like Dropbox or Google Drive. Interaction boosters create fake reviews and positive comments to engender trust in the ‘product’. Combined, this is a perfect example of how social engineering works. People love a popular thing, and are willing to put their trust in it without question if they see others doing so.
A sophisticated evasion technique is in play as well, sharing download links with passwords to bypass anti-virus software, or they’re embedded in the comments or video walkthroughs. This is not a brute force attack, but rather a campaign that entices users to do the infecting themselves.
Lumma, previously the most common payload of the infection, was disrupted earlier this year, and has since fallen from popularity in this particular campaign. The threat actors are now frequently using Rhadamanthys, with a rotation of command-and-control servers to avoid detection. HijackLoader has also been seen in a version promoting a fake Adobe Photoshop installer. All of them are stealing credentials and browser data from their victims.
This campaign, while actively being reduced by Check Point’s takedown, is still ongoing. Some of the malicious videos have hundreds of thousands of views on them, making them susceptible to algorithmic filtering and thus easier to find. This is my periodic reminder to never click an untrusted link, never disable security features while installing anything and come ask your friendly neighborhood WISP for help if you get into trouble.
Posted on LinkedIn, 10/24/25














