YouTube ‘Ghost Network’ Spreads Infostealer via 3,000 Fake Videos

Check Point Research exposed a sophisticated, role-based operation called the YouTube Ghost Network, distributing dangerous Lumma and Rhadamanthys Infostealer malware. Learn how cybercriminals use hijacked channels and bots to triple malicious video output and steal user credentials.

Cybersecurity firm Check Point Research (CPR) has exposed the Ghost Network, a highly sophisticated, large-scale, and financially motivated “malware distribution operation.” While active since 2021, its malicious video output dramatically tripled in 2025, demonstrating a concerning increase in its effectiveness and scope.

CPR’s investigation identified and reported over 3,000 malicious videos, leading to a direct partnership with Google for their mass removal and disruption of the criminal activities.

The Ghost Network’s Structure

According to CPR’s analysis, the network’s success lies in its advanced, modular, role-based structure designed for resilience against platform bans. This means the entire operation is split into ...