{ "id": "97a661cf-11a8-4d40-b7c2-19c194544b4d", "created_at": "2026-04-06T02:12:28.014525Z", "updated_at": "2026-04-10T03:26:37.632889Z", "deleted_at": null, "sha1_hash": "c6c015afc10d80a8bac4b06bf5e4a82bece7af22", "title": "YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 592689, "plain_text": "YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”\r\nBy Joakim Kennedy\r\nPublished: 2022-06-29 · Archived: 2026-04-06 01:37:39 UTC\r\nThe Stage: The Dark Web Market for YouTube Account Access\r\nIn 2006, the term “data is the new oil” was coined. Ever since then, the value of data has just increased. We live in\r\na world where many corporations collect data on users in an attempt to monetize it. This is not just limited to\r\nlegitimate corporations; the same occurs on the Dark Web. With data, someone always wants to turn it into money.\r\nOne thing that’s interesting when it comes to the Dark Web is that a lot of these deals are not happening behind\r\nclosed doors. Instead, they are sometimes advertised front and center on the forums.\r\nThese Dark Web forums have become their own small economies where threat actors specialize in specific\r\nservices. This specialization has made it easier for these threat actors to monetize what they are good at. We see\r\nthis, especially in the ransomware scene. There are specialized roles for people that gain access to organizations,\r\nsteal and encrypt data for the double extortion effect, to ransom negotiators. Another hypothetical chain is: a threat\r\nactor sells malware to another that uses the malware to steal data from an organization. The data is sold to another\r\nthat tries to convert the data into cash. As you move along this chain, the amount of money exchanged usually\r\nincreases since each party wants to turn in a profit, but the risks also increase. At some point, one of these threat\r\nactors must interact with the real world to obtain the cash. This is when they are usually exposed, if they haven’t\r\nalready made other mistakes.\r\nIn this blog post, we are describing a new malware that we have concluded is highly likely sold as a service on the\r\nDark Web. We have named the malware YTStealer because its sole objective is to steal authentication\r\ncookies from YouTube content creators. In June 2020, IntSights released a report on a new trend that they\r\nobserved. In this trend, threat actors were selling access to YouTube accounts. The goal of this write-up is to share\r\none of the many methods threat actors are using to obtain these accounts.\r\nOne Stealer, One Goal\r\nYTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like\r\nmany other stealers. The first thing it does when it’s executed is to perform some environment checks. This is to\r\ndetect if the malware is being analyzed in a sandbox. The code that performs the checks comes from an open-source project hosted on GitHub called Chacal. Figure 1 shows a screenshot of the project’s readme file. The\r\nframework is marketing itself for Red Teams and pen-testers. It provides anti-debugging, anti-memory analysis,\r\nand anti-VM functionality.\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 1 of 8\n\nFigure 1: Part of Chacal’s README.\r\nWhat sets YTStealer aside from other stealers sold on the Dark Web market is that it is solely focused on\r\nharvesting credentials for one single service instead of grabbing everything it can get ahold of. When it comes to\r\nthe actual process, it is very similar to that seen in other stealers. The cookies are extracted from the browser’s\r\ndatabase files in the user’s profile folder. \r\nIf YTStealer finds authentication cookies for YouTube, it does something interesting though. To validate the\r\ncookies and to grab more information about the YouTube user account, the malware starts one of the installed web\r\nbrowsers on the infected machine in headless mode and adds the cookie to its cookie store. By starting the web\r\nbrowser in headless mode, the malware can operate the browser as if the threat actor sat down on the computer\r\nwithout the current user noticing anything. To control the browser, the malware uses a library called Rod. Rod\r\nprovides a high-level interface to control browsers over the DevTools Protocol and markets itself as a tool for web\r\nautomation and scraping.\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 2 of 8\n\nFigure 2: Screenshot of Rod’s documentation describing the framework.\r\nUsing the web browser, YTStealer navigates to YouTube’s Studio page which allows content creators to manage\r\ntheir content. From YouTube studio, the malware grabs information about the user’s channels. The data it grabs\r\nincludes the channel name, how many subscribers it has, how old it is, if it is monetized, an official artist channel,\r\nand if the name has been verified. All the data is encrypted with a key that is unique for each sample and sends it\r\ntogether with a sample identifier to the command and control (C2) server located at the domain name\r\nyoubot[.]solutions.\r\nYTStealer doesn’t discriminate about what credentials it steals, whether it’s someone uploading Minecraft videos\r\nto share with a few friends or a channel like Mr. Beast with millions of subscribers. On the Dark Web, the\r\n“quality” of stolen account credentials influences the asking price, so access to more influential YouTube channels\r\nwould command higher prices.\r\nWhat is “YouBot Solutions”?\r\nWhile investigating all the YTStealer samples that we have come across, we noticed that all shared the same build\r\npath. The path, shown below, looks like a path from an internal build service. The path also includes the domain\r\nname to which the stealer exfiltrates the stolen data.\r\n/home/admin/web/youbot.solutions/public_html/Builder/Sources\r\nThis domain name was registered back in December 2021 and hosts a web server behind Cloudflare that returns\r\nan empty response. By using the domain name we identified an American corporation with the name of\r\n“YOUBOT SOLUTIONS LLC”. The corporation was registered in New Mexico on March 8, 2022 (unfortunately,\r\nthe State of New Mexico’s corporation registry is not accessible outside of the US but the data can be obtained\r\nfrom third party providers). Figure 2 shows a screenshot of a Google Business entry for a company with the same\r\nname and address as in the registry database. The company lists itself as a software company that “provides [sic]\r\nunique solutions for getting and monetizing targeted traffic”. The website provided in the listing points to\r\nyoubot[.]solutions.\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 3 of 8\n\nFigure 3: Google Business listing for YOUBOT SOLUTIONS LLC.\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 4 of 8\n\nThe business listing has a logo of an eye in a red circle. A Google image search using the icon returned some\r\nresults with the same image. All the results were under the domain aparat[.]com. Aparat is an Iranian video-sharing site that was founded in 2011. The image matched was used as a profile picture for a user on the site.\r\nFigure 4 shows the profile page of the user. The profile page provided a link to a Twitter account. Figure 5 shows\r\na screenshot of the Twitter account.\r\nFigure 4: Screenshot of Aparat user account’s profile page that uses YOUBOT SOLUTIONS LLC’s\r\n“logo” as their profile image.\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 5 of 8\n\nFigure 5: Twitter profile linked to in the Aparat user profile.\r\nHow Are Victims Targeted?\r\nGiven the optics of the infrastructure and that each sample has a unique identifier, it appears that YTStealer is sold\r\nas a service to other threat actors. With this in mind, we decided to look into if we could get a better understanding\r\nof who is targeted by this stealer. As it is designed to steal YouTube credentials, it’s already clear that YouTube\r\ncontent creators are being targeted. Can we narrow the scope further?\r\nWe looked at files that either dropped or downloaded the YTStealer samples that we have collected. The first\r\nobservation is that the majority of these files don’t just drop YTStealer. The droppers also came loaded with other\r\nstealers, including RedLine and Vidar stealers. Of the different stealers used together with YTStealer, RedLine\r\nstealer was the highest count. Figure 6 shows the analysis of one of the files that drop both YTStealer and\r\nRedLine. One of the memory modules found has a lot of shared code with other RedLine stealer samples in our\r\ndataset.\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 6 of 8\n\nFigure 6: Intezer Analyze result for one of the malware dropping YTStealer together with RedLine\r\nstealer.\r\nA lot of these files are disguised as installers for tools or legitimate software. With it targeting content creators, we\r\nwould expect some of the names to overlap with tools or software used by the intended targets. Grouping the\r\nnames, we do see some overlap.\r\nOne of the groups is “Digital, Image, and Video software”. We found fake installers for OBS Studio, an open-source streaming software. Additionally, we identified a few video editing software installers which included\r\nAdobe Premiere Pro, Filmora, and HitFilm Express. In the audio category, we identified fake installers for digital\r\naudio workstation (DAW) applications and plugins. This included the DAWs Ableton Live 11 Suite and FL\r\nStudio. The plugins included the infamous Antares Auto-Tune Pro, but also Valhalla DSP, FabFilter Total, and\r\nXfer Serum.\r\nThe second group is what we call “Game mods and cheats”. The games match popular games used by streamers\r\nand content creators. We identified fake installers for the FiveM Grand Theft Auto V mod, different “hacks” for\r\nRoblox, and cheats for Counter-Strike Go, and Call of Duty. A variant of the Valorant hack reported on by AhnLab\r\nearlier was also discovered. Valorant “gamers” were also targeted by a “Skin Changer”.\r\nAnother group of tools that can be classified as adjacent to games is driver tools. Gamers usually would like to\r\nsqueeze the very last drop of performance out of their gaming rigs. One way of doing this is to “ensure you are\r\nusing updated drivers and that they are tuned correctly”. In this group, we found fake installers for tools such as\r\n“Driver Booster” and “Driver Easy”.\r\nThe last group is for other software and “cracks”. Here we identified anything from fake installers for security\r\nproducts, such as Norton Security and Malwarebytes to “token generators” and “cracks” for services such as\r\nDiscord Nitro, Stepn, and Spotify Premium.\r\nThe overwhelming part of these fake installers are for pirated versions of the software, but we also see some fake\r\ninstallers for game mods. This finding should further stress the importance of only obtaining software from trusted\r\nsources. Only obtain software directly from the vendor or “modding” group.\r\nLessons Learned\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 7 of 8\n\nSomeone always has a way of monetizing data. When it comes to stolen YouTube authentication data, we haven’t\r\nanalyzed how it’s being monetized in the next step of the chain. One potential option could be to defraud the\r\nsubscribers of channels. When it comes to how this malware is infecting the victims, we can see a trend. Most of\r\nthe fake installers used were for cracked versions of legitimate software. We also saw fake installers for mods and\r\ncheats for games. When it comes to how to protect yourself, the classic security practice should be applied. Only\r\nuse software from trusted sources.\r\nIndicators of Compromise\r\nIoCs can be found on GitHub here.\r\nSource: https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nhttps://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/" ], "report_names": [ "ytstealer-malware-youtube-cookies" ], "threat_actors": [ { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441548, "ts_updated_at": 1775791597, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6c015afc10d80a8bac4b06bf5e4a82bece7af22.pdf", "text": "https://archive.orkl.eu/c6c015afc10d80a8bac4b06bf5e4a82bece7af22.txt", "img": "https://archive.orkl.eu/c6c015afc10d80a8bac4b06bf5e4a82bece7af22.jpg" } }