{
	"id": "4335e7dc-93b5-4a48-8699-98c3942763b3",
	"created_at": "2026-04-06T01:29:31.862351Z",
	"updated_at": "2026-04-10T03:36:48.068881Z",
	"deleted_at": null,
	"sha1_hash": "3acd56f1c4bd98046d7dc27026451af75cbd3ace",
	"title": "Self-spreading stealer attacks gamers via YouTube",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1309499,
	"plain_text": "Self-spreading stealer attacks gamers via YouTube\r\nBy Oleg Kupreev\r\nPublished: 2022-09-15 · Archived: 2026-04-06 01:19:48 UTC\r\nUPD: A notice on Google’s response to the issue was added.\r\nAn unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation\r\nfile, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload\r\nis the widespread RedLine stealer. Discovered in March 2020, RedLine is currently one of the most common\r\nTrojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. It is openly\r\navailable on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.\r\nThe stealer can pinch usernames, passwords, cookies, bank card details and autofill data from Chromium- and\r\nGecko-based browsers, data from cryptowallets, instant messengers and FTP/SSH/VPN clients, as well as files\r\nwith particular extensions from devices. In addition, RedLine can download and run third-party programs, execute\r\ncommands in cmd.exe and open links in the default browser. The stealer spreads in various ways, including\r\nthrough malicious spam e-mails and third-party loaders.\r\nThe bundle: what’s inside beside RedLine\r\nIn addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several\r\nfiles are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along\r\nwith the links to a password-protected archive with the bundle in the description. The videos advertise cheats and\r\ncracks and provide instructions on hacking popular games and software. Among the games mentioned are APB\r\nReloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy\r\nXIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray,\r\nThymesia, VRChat and Walken. According to Google, the hacked channels were quickly terminated for violation\r\nof the company’s Community Guidelines.\r\nExamples of videos spreading the bundle\r\nhttps://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/\r\nPage 1 of 5\n\nThe original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a\r\nscript to automatically run the unpacked contents. Because of the expletives used by the bundle’s creators, we had\r\nto hide some file names.\r\nContents of the self-extracting archive\r\nRight after unpacking, three executable files are run: cool.exe, ***.exe and AutoRun.exe. The first is the RedLine\r\nstealer mentioned above. The second is a miner, which makes sense, since the main target audience, judging by\r\nthe video, is gamers — who are likely to have video cards installed that can be used for mining. The third\r\nexecutable file copies itself to the %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup directory,\r\nwhich ensures automatic startup and runs the first of the batch files.\r\nThe batch files, in turn, run three other malicious files: MakiseKurisu.exe, download.exe and upload.exe. These\r\nare the files responsible for the bundle’s self-distribution. On top of that, one of the batch files runs the nir.exe\r\nutility, which lets malicious executable files run without displaying any windows or taskbar icons.\r\nContents of the first and second batch files\r\nThe size of the download.exe file is an impressive 35 MB. However, it’s basically a regular loader whose purpose\r\nis to download videos for uploading to YouTube, as well as files with the description text and links to the\r\nmalicious archive. The executable file is large because it is a NodeJS interpreter glued together with the scripts\r\nand dependencies of the main application. The malware takes the file download links from a GitHub repository. In\r\nthe latest modifications, a 7-Zip archive with videos and descriptions organized into directories is downloaded.\r\nThe archive is unpacked using the console version of 7-Zip, included in the bundle.\r\nhttps://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/\r\nPage 2 of 5\n\nContents of the 7-Zip archive\r\nMakiseKurisu.exe is a password stealer written in C# and modified to suit the needs of the bundle’s creators. The\r\nsource code from GitHub was likely taken as the basis: the file contains many standard stealer features that are not\r\nused in any way. These include checking for a debugger and for a virtual environment, sending information about\r\nthe infected system to instant messengers, and stealing passwords.\r\nSo, what remains and what do the changes amount to? The only working function in MakiseKurisu.exe is\r\nextracting cookies from browsers and storing them in a separate file without sending the stolen data anywhere. It\r\nis precisely through cookies that the bundle gains access to the infected user’s YouTube account, where it uploads\r\nthe video.\r\nThe last malicious file in the bundle is upload.exe, which uploads the video previously downloaded using\r\ndownload.exe, to YouTube. This file is also written in NodeJS. It uses the Puppeteer Node library, which provides\r\na high-level API for managing Chrome and Microsoft Edge using the DevTools protocol. When the video is\r\nsuccessfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.\r\nhttps://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/\r\nPage 3 of 5\n\nCode for video uploading\r\nCode for sending notification to Discord\r\nConclusion\r\nhttps://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/\r\nPage 4 of 5\n\nCybercriminals actively hunt for gaming accounts and gaming computer resources. As we noted in our overview\r\nof gaming-related cyberthreats, stealer-type malware is often distributed under the guise of game hacks, cheats\r\nand cracks. The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with\r\nads for cracks and cheats, as well as instructions on how to hack games. At the same time, the self-propagation\r\nfunctionality is implemented using relatively unsophisticated software, such as a customized open-source stealer.\r\nAll this is further proof, if any were needed, that illegal software should be treated with extreme caution.\r\nIoC\r\nMD5 hashes\r\n32dd96906f3e0655768ea09d11ea6150\r\n1d59f656530b2d362f5d540122fb2d03\r\n6ebe294142d34c0f066e070560a335fb\r\n64b4d93889661f2ff417462e95007fb4\r\nb53ea3c1d42b72b9c2622488c5fa82ed\r\nac56f398a5ad9fb662d8b04b61a1e4c5\r\nf80abd7cfb638f6c69802e7ac4dcf631\r\ne59e63cdaec7957e68c85a754c69e109\r\n9194c2946e047b1e5cb4865a29d783f4\r\nf9d443ad6937724fbd0ca507bb5d1076\r\n7cd4f824f61a3a05abb3aac40f8417d4\r\nLinks to archives with the original bundle\r\nhxxps://telegra[.]ph/2022-July-07-27\r\nhxxps://telegra[.]ph/DayZ-Eazy-Menu-06-24\r\nhxxps://telegra[.]ph/Cossfire-cheat-06-24\r\nhxxps://telegra[.]ph/APB-Reloaded-hack-05-29\r\nhxxps://telegra[.]ph/Forza-Horizon-5-Hack-Menu-07-13\r\nhxxps://telegra[.]ph/Point-Blank-Cheat-05-29\r\nhxxps://telegra[.]ph/Project-Zomboid-Private-Cheat-06-26\r\nhxxps://telegra[.]ph/VRChat-Cheat-04-24\r\nLinks to GitHub\r\nhxxps://github[.]com/AbdulYaDada/fdgkjhfdguoerldifgj\r\nhxxps://raw.githubusercontent[.]com/AbdulYaDada/fdgkjhfdguoerldifgj/\r\nRedLine C2\r\n45.150.108[.]67:80\r\nSource: https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/\r\nhttps://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/"
	],
	"report_names": [
		"107407"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438971,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3acd56f1c4bd98046d7dc27026451af75cbd3ace.pdf",
		"text": "https://archive.orkl.eu/3acd56f1c4bd98046d7dc27026451af75cbd3ace.txt",
		"img": "https://archive.orkl.eu/3acd56f1c4bd98046d7dc27026451af75cbd3ace.jpg"
	}
}