{
	"id": "27232c36-3b33-4262-b333-1db0e2122ce8",
	"created_at": "2026-04-06T00:18:47.407613Z",
	"updated_at": "2026-04-10T03:21:32.743608Z",
	"deleted_at": null,
	"sha1_hash": "6edffc78ccd1b2a2cd44e8eb2f0703b108d7039e",
	"title": "Info Stealer Targets 100+ Apps in YouTube Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1306818,
	"plain_text": "Info Stealer Targets 100+ Apps in YouTube Campaign\r\nBy cybleinc\r\nPublished: 2022-11-08 · Archived: 2026-04-05 21:29:55 UTC\r\nCyble Research and Intelligence Labs (CRIL) analyzes how Threat Actors use Phishing websites to deliver Info\r\nstealer via YouTube Tutorials.\r\nThreat Actors Create Phishing Websites for Mass Infection\r\nCyble Research \u0026 Intelligence Labs (CRIL) identified massive phishing campaigns running on YouTube as tutorials\r\nfor downloading and installing cracked software, Games for free.\r\nThe video tutorial tricks the users into installing Information stealer from the link given in the video description and\r\nlures them into believing it is a crack for their desired software.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nWe have seen many similar campaigns in the past, downloading Pennywise and Redline stealer. In these types of\r\ncampaigns, the Threat Actor (TA) usually hosts the malicious file in the free file hosting platform.\r\nStill, in this case, the TA has created phishing pages mimicking legitimate websites that provide service to users for\r\ndownloading various software, games, and other tools.\r\nGoing through the different campaigns, we identified several phishing websites mentioned in the video description.\r\nThe TA has created phishing pages to increase the chances of successful infection. Also, the impact of this campaign\r\ncan be calculated based on the number of views on each video posted. The maximum number of views we observed\r\non a single video is 18k, indicating the campaign is widespread.\r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 1 of 9\n\nFigure 1 – Views on Videos\r\nThe below image depicts the comments in the YouTube videos. Similar comments from different YouTube videos\r\nconclude that the TA adds these to convince users to think this software is legitimate.\r\nFigure 2 – Comments in the Videos\r\nYouTube Campaigns Analysis:\r\nDuring our research, we observed that the TA responsible for running these campaigns primarily targets people\r\nlooking to get paid software for free such as games, programs, etc. To get this software for free, people usually\r\nsearch keywords like “software cracks,” “keygens,” etc. The search result of these keywords redirects users to these\r\nYouTube videos, guiding them to install malicious executables pretending to be the software they wanted to install.\r\nThe below image depicts a website hosted on the URL: hxxps://teensoft[.]org/, which is being used by the YouTube\r\nvideo campaign to deliver Info stealer. The website delivers Vidar stealer malware posing as legitimate applications\r\nsuch as MS Office, Spotify Premium 2022, Adobe software, etc.\r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 2 of 9\n\nFigure 3 – Website Delivering Vidar Stealer\r\nCampaign 2\r\nThe image below showcases a website hosted on the URL: hxxps://wh1tesoftware[.]me/, which is used by the\r\nmalicious YouTube video campaign to deliver stealer malware.   \r\nThe website’s catalog contains various malicious software hosted with legitimate names, such as MS Office,\r\nCCleaner PRO, AutoCAD, and Adobe software, which are distributed to target users. Behind these names, the\r\nwebsite delivers Vidar stealer.\r\nFigure 4 – Website Delivering Vidar Stealer\r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 3 of 9\n\nCampaign 3\r\nThe below figure showcases a website hosted on the URL: hxxps://soft-exp[.]org/, which is being used by the\r\nYouTube video campaign to deliver malicious files. The website targets more than 100 applications that come under\r\nthe categories of games, crack software, plugins, Roblox scripts, and cheats to lure users into installing info stealers\r\non the user’s machine. These websites deliver RecordBreaker stealer.\r\nFigure 5 – Website Delivering RecordBreaker Stealer\r\nCampaign 4\r\nThe figure below showcases a website hosted on the URL: hxxps://appshigha[.]com/, which is used by the malicious\r\nYouTube video campaign to deliver malicious programs.\r\nOn the website, software such as Sapphire Plugin, Twixtor Plugin, Valorant Hack, GTA Online Mod Menu, MS\r\nOffice, CCleaner PRO, and AutoCAD are listed and available for download. When the users try to download the\r\nsoftware, a payload of RecordBreaker stealer is executed silently in the background.\r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 4 of 9\n\nFigure 6 – Website Delivering RecordBreaker Stealer\r\nThe below table shows the list of software targeted by the TAs to deliver stealers.\r\nWondershare Filmora\r\n \r\nDriver Booster PRO\r\n \r\nCCleaner Professional\r\n \r\nFL Studio  \r\niCloud Bypass iOS 15\r\n \r\nLumion 12 Pro   Sketchup   Bandicam  \r\nVoicemod Pro   Sony Vegas Pro 19   AutoCAD   3ds Max        \r\nAdobe Illustrator   Adobe XD   Adobe After Effects   Adobe Photoshop  \r\nAdobe Acrobat   Adobe InDesign   DaVinci Resolve  \r\nMovavi Video Editor\r\n \r\nAbleton Live  \r\nThe below table shows the list of gaming software the TA claims to deliver for free to infect users.  \r\nValorant \r\nHack  \r\nGTA Online\r\nMod Menu  \r\nFortnite Hack  \r\nFortnite Skin\r\nChanger  \r\nGenshin Impact\r\nHack  \r\nWarzone\r\nHack  \r\nRust Hack  \r\nSpider-Man\r\nRemastered  \r\nSynapse X Hack   NBA 2K23  \r\nMarvel’s\r\nSpider-Man  \r\nF1 Manager   Saints Row   Elden Ring   Dying Light 2  \r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 5 of 9\n\nWanderer\r\nDownload  \r\nExpeditions\r\nRome  \r\nBlackwind\r\nDownload  \r\nTom Clancy’s\r\nRainbow Six\r\nExtraction  \r\nAery –\r\nDreamscape  \r\nMonster\r\nHunter Rise  \r\nThe Kids We\r\nWere  \r\nGod of War   Weird West   Far Cry 6  \r\nThe below table shows the list of ROBLOX scripts targeted by the YouTube campaign. We have mentioned only 25\r\ntargeted ROBLOX script names here.\r\nTatakai V.2  \r\nProject Slayers\r\n \r\nLimited Words   PLS STEAL  \r\nGumball\r\nFactory\r\nTycoon  \r\nApocalypse\r\nRising 2  \r\nViet Nam\r\nPiece  \r\nMining Clicker\r\nSimulator  \r\nYour Bizarre\r\nAdventure  \r\nLegend Piece  \r\nAnime World\r\nTower Defense  \r\nPet Posse\r\nScript  \r\nAnime\r\nAdventures  \r\nBid Battles   Bid Battles  \r\nRaise A Floppa  \r\nARCH PIECE\r\n \r\nCombat Warriors\r\n \r\nTelekinesis  \r\nLumber\r\nTycoon  \r\nDecaying Winter  \r\nAnime Battle\r\nSimulator  \r\nAnime Sword\r\nSimulator  \r\nWorld Of\r\nStands  \r\nPrison Life\r\nThe below table shows the list of cheats and plugins targeted.\r\nCHEATS:\r\nDownload Kiddions Modest Menu free-rust-hack-download\r\nPLUGINS:\r\nSapphire Plugin   Twixtor Plugin  \r\nMost of the binaries hosted on these phishing sites act as either downloaders or droppers for the stealer payload. The\r\nmalware infection happens in multiple stages and at the end, executes the stealer payload. These stealers mainly\r\nexfiltrate sensitive user data such as cookies, system information, login credentials, etc. to their Command and\r\nControl (C\u0026C) server.\r\nThis exfiltrated data is referred to as Stealer Logs , which are usually sold on cybercrime marketplaces and can be\r\nleveraged by other TAs to target individuals or get into corporate networks. The phishing campaign discussed in this\r\nblog was mainly distributing Vidar and RecordBreaker stealer.\r\nVidar Stealer\r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 6 of 9\n\nVidar InfoStealer is based on C/C++ programming language. The Vidar malware family, which was first identified in\r\n2018, can steal sensitive data from the victim’s PC. This includes banking information, saved passwords, IP\r\naddresses, browser history, login credentials, and crypto wallets, which can then be transferred to the TAs Command\r\nand C\u0026C. We witnessed in past also where TAs used delivery mechanisms such as spam mail, cracked software,\r\nkeygens, etc. to distribute this malware.\r\nRecordBreaker Stealer\r\nRecordBreaker stealer is suspected to be a recent version of the Raccoon stealer, which was spotted in the wild in\r\n2022. While executing, this stealer performs several GET\\POST requests with Command and Control (C\u0026C) Server.\r\nInitially, it fetches the configuration and DLLs and then exfiltrates the victim’s data to C\u0026C using a POST request.\r\nThe stealer can also deliver other malware payloads based on the configuration’s settings. The figure below shows\r\nthe stealer receiving configuration file.\r\nFigure 7- RecordBreaker Configuration File\r\nConclusion\r\nThreat Actors are constantly enhancing their techniques to deliver malicious programs. In this particular case, the TA\r\nuses YouTube channels to spread malicious payloads hosted on phishing websites. This campaign primarily\r\nleverages YouTube videos (with step-by-step tutorials) to trick users into installing malicious programs on their\r\nsystems. CRIL has been observing increasing trends in social media scams of late.  \r\nCyble Research and Intelligence Labs’ mission is to continuously monitor and alert our audience to high-tech cyber\r\nscams and protect our clients in cyberspace by supporting them in achieving their goals.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nAvoid downloading pirated software from unverified sites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 7 of 9\n\nKeep updating your passwords after certain intervals.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.  \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.   \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TA.  \r\nEnable Data Loss Prevention (DLP) Solutions  organization wide. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution    T1204   User Execution  \r\nDefense Evasion\r\nT1140\r\nT1497\r\nT1055.012\r\nDeobfuscate/Decode Files or Information\r\nVirtualization/Sandbox Evasion\r\nProcess Injection: Process Hollowing\r\nCredential Access  \r\nT1555  \r\nT1539  \r\nT1552  \r\nT1528  \r\nCredentials from Password Stores  \r\nSteal Web Session Cookies  \r\nUnsecured Credentials  \r\nSteal Application Access Token  \r\nCollection   T1113   Screen Capture  \r\nDiscovery  \r\nT1518  \r\nT1124  \r\nT1007  \r\nSoftware Discovery  \r\nSystem Time Discovery  \r\nSystem Service Discovery  \r\nCommand and Control   T1071   Application Layer Protocol  \r\nExfiltration   T1041     Exfiltration Over C2 Channel  \r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\ne99bebb8facdfff476c4d1163dfa85cb\r\nb04cdfb5b57b309a1d9a2e5f0bd9c01cb490854b\r\nf1e8f4fba1da25cc02d0673f8cc3962c7419d769cb139f818f8f1e4d56a891df\r\nMD5\r\nSHA1\r\nSHA256\r\nCampaign 2:\r\nVidar Stealer\r\nhxxp://95.217.27.240/ URL\r\nCampaign 2:\r\nC\u0026C\r\n95.217.27.240 IP\r\nCampaign 2\r\nC\u0026C\r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 8 of 9\n\n8e636392c37a87f6f80d94105eff13f3\r\nefac1bb38a50284b74d5f9e90ba3909d7a998df7\r\n65509ae4d5b04ea786423cbdee234ddca5363da3db68f49ba4fc0db16ceba799\r\nMD5\r\nSHA1\r\nSHA256\r\nCampaign 1:\r\nVidar Stealer\r\nhxxp://95.217.27.240/ URL\r\nCampaign 1\r\nC\u0026C\r\nhxxp://195.201.251.82:80 URL\r\nCampaign 1\r\nC\u0026C\r\n78c988133da5464c206078efe56b9191\r\n3024b41db4386592449a7ecb19bf8acc3853d9b7\r\n81ae14e327301b347ff43d58c2a907fb2fb94dc3e73c750bad64ab824066b34c\r\nMD5\r\nSHA1\r\nSHA256\r\nCampaign 3\r\nRecordBreaker\r\nstealer\r\nhxxp://91.213.50.70/Objhkcgmiub.bmp URI\r\nCampaign 3\r\nMalicious URI\r\nhxxp://51.255.211.253/ URL\r\nCampaign 3\r\nC\u0026C\r\n46b417fe39b7cf62a63b665a8caef5ea\r\n5448de47e5e922686ed66fbc21ba6ebf830e0cc7\r\nedcabbcc1389f1a4d2ad030c28dcb97d065027e0645faa3199f66b05505cced5\r\nMD5\r\nSHA1\r\nSHA256\r\nCampaign 4\r\nRecordBreaker\r\nstealer\r\nhxxp://146.70.86[.]136  \r\nCampaign 4\r\nC\u0026C\r\nSource: https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nhttps://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/"
	],
	"report_names": [
		"massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434727,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6edffc78ccd1b2a2cd44e8eb2f0703b108d7039e.pdf",
		"text": "https://archive.orkl.eu/6edffc78ccd1b2a2cd44e8eb2f0703b108d7039e.txt",
		"img": "https://archive.orkl.eu/6edffc78ccd1b2a2cd44e8eb2f0703b108d7039e.jpg"
	}
}