Thousands of YouTube videos disguised as cheat codes removed for spreading malware

News
By published

The YouTube Ghost Network had hundreds of thousands of views

Man holding a smartphone with the YouTube app opening
(Image credit: Shutterstock / Alex Photo Stock)
  • YouTube has removed 3,000 malicious videos disguised as 'Cracked software'
  • These were used to spread malware and infostealers like Lumma
  • The network used fake positive engagement to garner trust

Google has removed a 3,000 strong network of malicious YouTube videos used to spread malware.

Check Point Research says it discovered the ‘YouTube Ghost Network’ - a ‘sophisticated and coordinated’ campaign of videos which took advantage of YouTube's features to promote its own harmful content.

The videos were primarily disguised as ‘Game Hack/Cheat’ and ‘Software Cracks/Piracy’ - areas with a large viewership that often encouraged the audience to download software. Such ‘cracked’ software is illegal, and these downloads often contain malware.

Get Keeper's Personal Password Manager plan for just $1.67/month

Get Keeper's Personal Password Manager plan for just $1.67/month

Keeper is a password manager with top-notch security. It's fast, full-featured, and offers a robust web interface. The Personal Plan gets you unlimited password storage across all your devices, auto-login & autofill to save time, secure password sharing with trusted contacts, biometric login & 2FA for added security.

View Deal

Malware and infostealers

These videos were not necessarily spammy in nature. Researchers identified one video targeting Adobe Photoshop with 293,000 views and 54 comments, as well as a video targeting FL Studio that had amassed 147,000 views - these would appear legitimate based on the sheer number of interactions.

The Ghost Network distributed malware through these software downloads - specifically through infamous Rhadamanthys, Lumma stealer, and RedLine infostealers and malware strains.

This tactic of using malicious social media posts to trick users into downloading harmful software is far from unheard of, with Reddit pages and WeTransfer pages also discovered earlier in 2025 spreading Lumma malware in a similar campaign.

"The network appears to be active at least since 2021, maintaining a steady output of malicious content each year,” Check Point wrote in its report. “Notably, in 2025, the creation of such videos has tripled, highlighting both the scalability and increasing effectiveness of this malware distribution campaign.”

One of the reasons this campaign in particular was so potent is the network of positive interactions it cultivated - disarming viewers and building a high level of trust. One set of accounts were observed uploading videos, while another set would like/comment/subscribe to the accounts, and another group would post positive updates and messages.

In years gone by, high viewership and positive interactions indicated a safe or legitimate service, but now with reports suggesting that up to 50% of all internet traffic comes from bots - viewers are forced to be more careful than ever.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.