Find notable cyber news and cases, enriched with sources, timelines, and signals.

YouTube Ghost Network malware distribution campaign

Campaign
First reported
Last updated
Happening score
H score 14
1 unique sources, 2 articles

Summary

Hide ▲

The YouTube Ghost Network is an active malware distribution campaign that uses compromised YouTube accounts to push malicious downloads and loaders. In the latest update, researchers tied GachiLoader to the same network, showing that the campaign is distributing a heavily obfuscated Node.js loader through YouTube-based lures and, in some cases, delivering Rhadamanthys or a Kidkadi stage while attempting Defender evasion and PE injection. The broader operation has used platform trust signals to keep driving viewers toward malware downloads, even as Google removes videos.

Related Happenings

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Vo1d botnet campaign targeting unofficial Android-based TV boxes

Campaign
H score88 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...

Latest development: 03.07.2026 12:35

Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

TikTok and Instagram Reels Vidar social-engineering campaign

Campaign
H score37 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...

Timeline

  1. 19.12.2025 17:34 1 articles · 6mo ago

    GachiLoader spreads through the YouTube Ghost Network

    Campaign Scope Update

    Check Point identified GachiLoader in the YouTube Ghost Network, where compromised YouTube accounts distributed a heavily obfuscated Node.js loader that sometimes delivered Rhadamanthys or a Kidkadi stage while attempting Defender evasion and PE injection.

    Show sources