{
	"id": "a62f43c1-268a-43f3-a88a-d610e606730d",
	"created_at": "2026-04-06T00:16:31.333031Z",
	"updated_at": "2026-04-10T13:12:07.587613Z",
	"deleted_at": null,
	"sha1_hash": "2f84556b555f22cac1c5e7a4234f1ecdf23ab513",
	"title": "Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7278730,
	"plain_text": "Threat Actors Abuse AI-Generated Youtube Videos to Spread\r\nStealer Malware\r\nBy Pavan Karthick M\r\nPublished: 2025-08-21 · Archived: 2026-04-05 17:08:01 UTC\r\nWe value your privacy\r\nWe use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic.\r\nBy clicking \"Accept All\", you consent to our use of cookies.\r\nBack\r\nSince November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to\r\nstealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to\r\nbe tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds\r\nMax, AutoCAD, and other products that are licensed products available only to paid users.\r\nMarch 13, 2023\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 1 of 15\n\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nAuthors: Pavan Karthick M, Deepanjli Paulraj\r\nRise in Threat Actors Using AI-Generated Youtube Videos\r\nSince November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to\r\nstealer malware such as Vidar, RedLine, and Raccoon  in their descriptions. The videos lure users by pretending to\r\nbe tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds\r\nMax, AutoCAD, and other products that are licensed products available only to paid users. \r\nUsually, the videos use a screen recording or audio walkthrough of the steps to download and install the software.\r\nHowever, there has recently been an increase in the use of AI-generated videos from platforms such as Synthesia\r\nand D-ID, being used in the videos. It is well known that videos featuring humans, especially those with certain\r\nfacial features, appear more familiar and trustworthy. Hence, there has been a recent trend of videos featuring AI-generated personas, across languages and platforms (Twitter, Youtube, Instagram), providing recruitment details,\r\neducational training, promotional material, etc. And threat actors have also now adopted this tactic.   \r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 2 of 15\n\nAI-generated video from studio.d-id.com\r\nThe Burgeoning Information Stealer Ecosystem\r\nInfostealers are malicious software designed to steal sensitive information from computers. They can steal\r\npasswords, credit card information, bank account numbers, and other confidential data. They are usually spread\r\nthrough malicious software downloads, fake websites, and Youtube tutorials. Once installed on a system, they\r\nsteal information from the computer and upload it to the attacker's Command and Control server. \r\nInformation stealers typically collect a victim’s:\r\nBrowser data, including passwords, cookies, extension data, auto-fills, credit card details, etc.\r\nCrypto wallet data and credentials\r\nTelegram data and credentials\r\nFiles such as .txt, documents, excel sheets, PowerPoint presentations, etc, using a File Grabber.\r\nSystem information such as IP address, malware path (Redline and Vidar only), Timezone, location, system\r\nspecifications, etc.\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 3 of 15\n\nOrganization of the information stealer ecosystem (Source sekoia.com)\r\nInformation Stealer Developers\r\nThe developers are responsible for developing and updating the malware code to ensure that antivirus and other\r\nendpoint detection systems do not detect the stealer when it is downloaded to a computer. They also work on\r\nexpanding the scope of the stealer by adding new browsers, wallets, and other applications that the malware can\r\nsteal information from. Even as EDRs are updated with new IoCs to detect malware, developers continue to\r\niteratively upgrade the malware to evade detection. Hence, EDRs and IoCs are valid only for a short period of\r\ntime. \r\nRelated Report : Information Stealer Targets Crypto Wallets Via Fake Windows 11 Update\r\nTraffers\r\nInformation stealer developers recruit/ partner with other threat actors, commonly known as traffers, to:\r\nIdentify victims via stealer logs, compromised credentials, etc., from underground marketplaces, Telegram\r\nchannels, and from other traffers. \r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 4 of 15\n\nSpread the stealer via fake websites, phishing emails, Youtube tutorials, Social media posts, etc. \r\nUse SEO optimization to ensure the sources of infection are easily visible and available to potential\r\nvictims. \r\nCollect, organize, and sell the exfiltrated information on underground forums, Telegram channels, and to\r\nother groups that spread stealer malware. \r\nTraffers are recruited via posts and advertisements across various underground forums:\r\nForum post recruiting Traffers. Claims to have YT panel for 911 infection chain, automated tools\r\nfor traffic generation\r\nYoutube as a Malware Distribution Channel\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 5 of 15\n\nWith over 2.5 billion active monthly users, Youtube is a popular and versatile platform. From entertainment and\r\nreviews to recipes and educational material, Youtube is used by a wide range of users across demographics. \r\nWhile Youtube is an easy way to reach millions of users, the platform’s regulations and review process make it\r\ndifficult for threat actors to have long-term active accounts on the platform. Once a few users have been affected,\r\nthe video is usually taken down and the account is banned. Hence threat actors are always looking for new ways to\r\ncircumvent the platform’s algorithm and review process. \r\nSince November 2022, CloudSEK has observed a 2 to 3 times month-on-month increase in the number of videos\r\nspreading stealer malware.\r\nAccount Takeover\r\nThreat actors use previous data leaks, phishing techniques, and stealer logs to take over existing Youtube accounts.\r\nThey target both educated and active users (with a significant number of subscribers and uploads) and less\r\neducated users. \r\nThere have been several reports and complaints regarding Youtube account takeovers. The threat actors\r\nimmediately upload 5-6 videos to the account. \r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 6 of 15\n\nTaking Over Popular Accounts\r\nThreat actors target popular accounts with 100K+ subscribers, in an attempt to reach a large audience in a short\r\nperiod of time. Usually, the subscribers of popular accounts will be notified about a new upload. Uploading to\r\nsuch accounts lends video legitimacy as well. However, such Youtubers will report their account taker to Youtube\r\nand gain access back to their accounts within a few hours. But in a few hours, hundreds of users could have fallen\r\nprey. \r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 7 of 15\n\nA popular Youtuber whose account was flooded with crack download videos\r\nTaking Over Less Popular Accounts\r\nGeneral users, who don’t upload videos on a regular basis, may not notice that their account has been taken over\r\nfor a significant period of time. And even if they lose access to their accounts, they may not have the incentive to\r\nreport it. As seen in the example below, the malicious videos are available even after 3 months. Despite the limited\r\nreach of these accounts, threat actors target them because videos uploaded to them remain available for an\r\nextended period of time. \r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 8 of 15\n\nA not-so-popular YouTube account flooded with crack download videos\r\nAutomated \u0026 Frequent Video Uploads\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 9 of 15\n\nWe have observed that every hour 5-10 crack software download videos, containing malicious links, are uploaded\r\nto Youtube. This frequent addition of videos compensates for the videos that are deleted or taken down and\r\nensures that at any given time, if a user searches for a tutorial on how to download a cracked software, these\r\nmalicious videos will be available. \r\nObfuscated Links\r\nThe malicious link to download the malware-laced file is usually included in the description of the video.\r\nHowever, these links don’t appear suspicious because the threat actors use: \r\nURL shorteners such as bit.ly and cutt.ly\r\nLinks to file hosting platforms such as mediafire.com\r\nLinks that directly download the malicious zip file\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 10 of 15\n\nCommonly seen websites that are used in infection chain are listed in the chart below.\r\nAI-Generated Videos\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 11 of 15\n\nIt is well known that videos featuring humans, especially those certain facial features, appear more familiar and\r\ntrustworthy. Hence, there has been a recent trend of videos featuring AI generated personas, across languages and\r\nplatforms (Twitter, Youtube, Instagram), providing recruitment details, educational training, promotional material,\r\netc. And threat actors have also now adopted this tactic. \r\nAs seen in the example below, a Hogwarts crack download video generated using d-id.com was uploaded to a\r\nYoutube channel with 184K subscribers. And within a few minutes of being uploaded, the video had 9 likes and\r\n120+ views. \r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 12 of 15\n\nThe Way Forward\r\nLimitations of String-Based Rules\r\nString-based rules will prove ineffective against malware that dynamically generates strings and/or uses encrypted\r\nstrings. Encryption and encoding methods differ from sample to sample (eg- new versions of Vidar, Raccoon, etc).\r\nIn addition, they will only be able to detect the malware family when the sample is unpacked, which is almost\r\nnever used in a malware campaign. \r\nReal-time Adaptive Threat Monitoring\r\nTo address constantly changing threats, organizations need to adopt adaptive threat monitoring. This can only be\r\ndone by closely monitoring threat actors’ changing Tactics, Techniques, and Procedures. It is also important to\r\nconduct awareness campaigns and to equip users to identify potential threats. \r\nApart from this, it is recommended that users enable multi-factor authentication and refrain from clicking on\r\nunknown links and emails. Additionally, avoid downloading or using pirated software because the risks greatly\r\noutweigh the benefits. \r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 13 of 15\n\nThreat Researcher at CloudSEK, building threat intelligence and automation systems for malware tracking, dark\r\nweb intelligence, and vulnerability monitoring. He researches stealer ecosystems and cybercrime networks, and\r\nspeaks at BSides, Null/OWASP, and HITB on AI-driven security automation.\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 14 of 15\n\nDeepanjli is CloudSEK's Lead Technical Content Writer and Editor. She is a pen wielding pedant with an\r\ninsatiable appetite for books, Sudoku, and epistemology.\r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nRelated Blogs\r\nPredict  Cyber Threats against your organization\r\nSource: https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nhttps://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware"
	],
	"report_names": [
		"threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434591,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f84556b555f22cac1c5e7a4234f1ecdf23ab513.pdf",
		"text": "https://archive.orkl.eu/2f84556b555f22cac1c5e7a4234f1ecdf23ab513.txt",
		"img": "https://archive.orkl.eu/2f84556b555f22cac1c5e7a4234f1ecdf23ab513.jpg"
	}
}