YouTube Ghost Network malware distribution campaign
Campaign
Summary
Hide ▲
Show ▼
The YouTube Ghost Network is an active malware distribution campaign that uses compromised YouTube accounts to push malicious downloads and loaders. In the latest update, researchers tied GachiLoader to the same network, showing that the campaign is distributing a heavily obfuscated Node.js loader through YouTube-based lures and, in some cases, delivering Rhadamanthys or a Kidkadi stage while attempting Defender evasion and PE injection. The broader operation has used platform trust signals to keep driving viewers toward malware downloads, even as Google removes videos.
Related Happenings
Mirax social media ad campaign targeting Spanish-speaking users
Campaign
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax social media ad campaign targeting Spanish-speaking users
CampaignAbout this happening: The **Mirax** distribution campaign is using **social media advertisements** and **fake IPTV or streaming apps** to reach **Spanish-speaking users** at scale, raising the risk of...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware Activity
First: 13.03.2026 15:23
Last: 13.03.2026 15:23
Sources 1
About this happening:
A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
Storm-2561 fake enterprise VPN Hyrax infostealer activity
Malware ActivityAbout this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...
Timeline
-
19.12.2025 17:34 1 articles · 5mo ago
GachiLoader spreads through the YouTube Ghost Network
Campaign Scope UpdateCheck Point identified GachiLoader in the YouTube Ghost Network, where compromised YouTube accounts distributed a heavily obfuscated Node.js loader that sometimes delivered Rhadamanthys or a Kidkadi stage while attempting Defender evasion and PE injection.
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
-
24.10.2025 13:00 1 articles · 7mo ago
YouTube Ghost Network malware distribution campaign
Initial DisclosureThe operation began as a role-based network of **compromised YouTube accounts** that uploaded tutorial-style videos and used descriptions and comments to funnel viewers to malware downloads.
Show sources
- 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation — thehackernews.com — 24.10.2025 13:00