YouTube, in partnership with cybersecurity firm Check Point Research, has dismantled a coordinated malware-distribution network that used deceptive videos on the platform. The campaign, labelled the “YouTube Ghost Network,” involved more than 3,000 videos that masqueraded as legitimate tutorials but concealed info-stealing malware.
The malware
The malicious operation exploited YouTube’s engagement tools, likes, comments and views to lend credibility to its content, which targeted categories like game hacks and software cracks. View counts for some videos exceeded 290,000, enabling the attackers to present themselves as trusted sources. Check Point’s investigation found the network had been active since at least 2021, with 2025 showing a substantial spike in activity. Google removed the flagged videos following the disclosure.
“What looks like a helpful tutorial can actually be a polished cyber trap. The scale, modularity, and sophistication of this network make it a blueprint for how threat actors now weaponize engagement tools to spread malware,” Eli Smadja of Check Point said.
Platform safety and enforcement
Check Point’s report detailed how threat actors used password-protected archives, third-party file-sharing links and instructions to disable antivirus tools. The campaign relied on YouTube’s engagement systems to appear legitimate, using high view counts and comments to disguise malicious intent. YouTube has since removed the flagged videos and reaffirmed its commitment to user safety and coordinated threat detection.
Other platforms are also facing similar challenges. Streaming services such as Twitch and Kick continue to combat increasingly sophisticated bot activity, pushing their moderation and security systems to evolve. As malicious automation becomes more advanced, these platforms are under growing pressure to ensure accurate engagement metrics and maintain user trust across their ecosystems.