{
	"id": "8709ebb6-8efd-470c-b3cd-bfb7ab1be3be",
	"created_at": "2026-04-06T00:21:43.044838Z",
	"updated_at": "2026-04-10T13:11:38.809608Z",
	"deleted_at": null,
	"sha1_hash": "9f6bcdb97591484572566dbb3c0a0c06e62db8d0",
	"title": "RecordBreaker Stealer Distributed via Hacked YouTube Accounts - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5890004,
	"plain_text": "RecordBreaker Stealer Distributed via Hacked YouTube Accounts\r\n- ASEC\r\nBy ATCP\r\nPublished: 2023-04-26 · Archived: 2026-04-05 19:23:55 UTC\r\nRecordBreaker is a new Infostealer that appeared in 2022 and is known as the new version of Raccoon Stealer.\r\nSimilar to other Infostealers, such as CryptBot, RedLine, and Vidar, it is a major malware type that usually\r\ndisguises itself as a software crack or installer. AhnLab Security Emergency response Center (ASEC) has\r\nconfirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently\r\nhacked.\r\n1. Previous Distribution Cases\r\nSearch engines are one of the major attack vectors used for malware distribution. ASEC has published the\r\nfollowing blog post that covers the distribution cases of RecordBreaker through search engines.\r\nUsers who search for the cracks, serial keygens, and installers of commercial software on search engines are led to\r\nfake distribution pages where they are tricked into downloading malware.\r\nThere have been many recent cases of malware being distributed through YouTube and not just search engines.\r\nFor example, a threat actor who distributed the RedLine Infostealer in the past had uploaded a tutorial video on\r\nhow to install a crack program along with a link disguised as a download page to install the crack. [1] There is\r\nalso another case where BlackGuard Infostealer was distributed as a hack for the game Valorant. [2] [3]\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 1 of 9\n\n2. Case of RecordBreaker Distribution via YouTube\r\nWhile monitoring malware strains that are being distributed via YouTube, ASEC has confirmed the distribution of\r\nthe RecordBreaker Infostealer through an account that is assumed to have been hacked. The post below was\r\nuploaded by the threat actor, and it contains the download link to an Adobe Photoshop crack along with a link to a\r\ntutorial in both the video description and the comment section.\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 2 of 9\n\nThe distribution of malware through YouTube is a common method, and most threat actors create new accounts to\r\nupload malware links. However, this account currently has more than 120,000 subscribers. Additionally,\r\nconsidering that the original owner had been uploading videos regularly just a few days before the malware\r\ndistribution videos were uploaded, it is assumed that the threat actor had stolen the YouTuber’s account before\r\nusing it to upload malware.\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 3 of 9\n\nClicking on the links in the YouTube videos lead to a MediaFire download page, where users can download a\r\ncompressed file that has malware inside of it. Similar to previous cases, the downloaded compressed file is\r\nencrypted with a password.\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 4 of 9\n\n3. RecordBreaker Analysis\r\nJust like in the prior cases, decompressing the compressed file creates an executable that is more than 700 MB\r\ncalled “Launcher_S0FT-2O23.exe”. The threat actor had deliberately padded this file immensely to make it appear\r\nbigger. It is assumed that this is to evade being collected and detected by security products.\r\n“Launcher_S0FT-2O23.exe” is the RecordBreaker Infostealer malware that accesses the C\u0026C server upon\r\nexecution to download the DLL files required for configuration and information theft.\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 5 of 9\n\nWhen RecordBreaker is executed, it obtains the “machineId” and sends the “configId” value that is hard-coded\r\ninto the malware to the C\u0026C server. Afterward, the C\u0026C server sends back the following configuration data. The\r\ndata received includes URLs that will be used to download specific DLL files that are necessary for stealing\r\ninformation, along with the path for the files that are going to be stolen.\r\nRecordBreaker collects and steals various information saved on a system, such as basic system information, a list\r\nof installed programs, screenshots, account credentials saved on a browser, etc., and it is also capable of\r\ndownloading and installing additional payloads at the end. The below Fiddler log shows two payloads, which have\r\nbeen uploaded to GitHub, being downloaded and executed.\r\nAmong the downloaded files, “GUI_Modernista.exe” is a program that provides the ability to download various\r\ncrack files. This causes users to believe that they have downloaded a normal crack program, making it difficult for\r\nthem to notice the installation of malware.\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 6 of 9\n\nAfter collecting information from the infected system, the threat actor installs a CoinMiner using a malware file\r\nnamed “vdcs.exe” and uses the system’s resources to mine cryptocurrency.\r\n4. Conclusion\r\nA case has been confirmed recently of RecordBreaker being distributed via YouTube. RecordBreaker is an\r\nInfostealer that collects and steals various user information saved inside infected systems. It can also download\r\nand install additional malware.\r\nRecordBreaker was distributed through an account that has over 100,000 subscribers. Based on the account’s\r\nactivity prior to the distribution, it is believed that it was hacked by a threat actor. The threat actor used\r\nRecordBreaker to collect information from infected systems and installed CoinMiner to mine for cryptocurrency\r\non the infected systems afterward.\r\nAs explained in this post, malware can be installed through various platforms, therefore, users should refrain from\r\ndownloading illegal programs and using suspicious websites or P2P and use genuine software at all times. Also,\r\nV3 should be updated to the latest version so that malware infection can be prevented.\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 7 of 9\n\nASEC selects malware with the highest distribution rate each week through the Live C\u0026C information of AhnLab\r\nTIP, and provides the C\u0026C information that have been confirmed through an automatic analysis system. The URL\r\nand IP information assumed to be C\u0026C servers can be used to assist with malware analysis and response.\r\nFile Detection\r\n– Infostealer/Win.RecordStealer.C5410598 (2023.04.13.02)\r\n– Trojan/Win.Generic.C5403811 (2023.04.01.03)\r\n– Trojan/Win.MSILKrypt.C5418981 (2023.04.27.03)\r\nMD5\r\n116857ca1574a5a36da3bb0ddff32eac\r\n1cc87e637e55a2e6a88c745855423045\r\n803a1f3e984a9eaa56ac74a203096959\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//212[.]113[.]119[.]153/\r\nhttp[:]//212[.]113[.]119[.]153/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3[.]dll\r\nhttp[:]//212[.]113[.]119[.]153/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue[.]dll\r\nhttp[:]//212[.]113[.]119[.]153/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140[.]dll\r\nhttp[:]//212[.]113[.]119[.]153/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3[.]dll\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 8 of 9\n\nSource: https://asec.ahnlab.com/en/52072/\r\nhttps://asec.ahnlab.com/en/52072/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/52072/"
	],
	"report_names": [
		"52072"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434903,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f6bcdb97591484572566dbb3c0a0c06e62db8d0.pdf",
		"text": "https://archive.orkl.eu/9f6bcdb97591484572566dbb3c0a0c06e62db8d0.txt",
		"img": "https://archive.orkl.eu/9f6bcdb97591484572566dbb3c0a0c06e62db8d0.jpg"
	}
}