YouTube Ghost Network malware distribution campaign
Campaign
Summary
Hide ▲
Show ▼
The YouTube Ghost Network is an active malware distribution campaign that uses compromised YouTube accounts to push malicious downloads and loaders. In the latest update, researchers tied GachiLoader to the same network, showing that the campaign is distributing a heavily obfuscated Node.js loader through YouTube-based lures and, in some cases, delivering Rhadamanthys or a Kidkadi stage while attempting Defender evasion and PE injection. The broader operation has used platform trust signals to keep driving viewers toward malware downloads, even as Google removes videos.
Related Happenings
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
TikTok and Instagram Reels Vidar social-engineering campaign
Campaign
H score37
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
TikTok and Instagram Reels Vidar social-engineering campaign
CampaignAbout this happening: A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
Timeline
-
19.12.2025 17:34 1 articles · 6mo ago
GachiLoader spreads through the YouTube Ghost Network
Campaign Scope UpdateCheck Point identified GachiLoader in the YouTube Ghost Network, where compromised YouTube accounts distributed a heavily obfuscated Node.js loader that sometimes delivered Rhadamanthys or a Kidkadi stage while attempting Defender evasion and PE injection.
Show sources
- Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware — thehackernews.com — 19.12.2025 17:34
-
24.10.2025 13:00 1 articles · 8mo ago
YouTube Ghost Network malware distribution campaign
Initial DisclosureThe operation began as a role-based network of **compromised YouTube accounts** that uploaded tutorial-style videos and used descriptions and comments to funnel viewers to malware downloads.
Show sources
- 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation — thehackernews.com — 24.10.2025 13:00