Google has taken down a massive, coordinated network of over 3,000 malicious YouTube videos that were tricking users into downloading dangerous malware. The sophisticated campaign, dubbed the “YouTube Ghost Network” by the security researchers who discovered it, used fake popularity to lure in unsuspecting victims.
The network’s strategy was clever. The videos were disguised as tutorials for game cheats or guides on how to get “cracked” or pirated versions of popular software like Adobe Photoshop. These topics attract a large audience looking for free downloads. The videos themselves didn’t look like spam; some had hundreds of thousands of views and dozens of positive comments, making them appear completely legitimate.
What made this network so dangerous was how it faked its own success. Researchers at Check Point found it was a coordinated effort. One group of accounts would upload the malicious videos, while another group of bot accounts would then flood them with likes, positive comments, and subscriptions. This created a false sense of trust, disarming viewers and encouraging them to download the infected software. The downloads contained nasty information-stealing malware, including the infamous Rhadamanthys and Lumma stealers.
The “Ghost Network” had been active since at least 2021, but it ramped up its operations significantly this year, tripling the number of malicious videos it produced. The incident is a stark reminder that, in the age of bots, high view counts and positive comments cannot be trusted as indicators of safety.
