{ "id": "bef5b778-eed0-4cb2-808b-714ba3ac88b4", "created_at": "2026-04-06T00:18:41.907384Z", "updated_at": "2026-04-10T03:24:29.78589Z", "deleted_at": null, "sha1_hash": "deb88b898dd2d720425d8ef6287bf0f56d4a034d", "title": "Massive campaign uses YouTube to push password-stealing malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3239732, "plain_text": "Massive campaign uses YouTube to push password-stealing malware\r\nBy Lawrence Abrams\r\nPublished: 2021-10-21 · Archived: 2026-04-05 18:45:56 UTC\r\nWidespread malware campaigns are creating YouTube videos to distribute password-stealing trojans to unsuspecting\r\nviewers.\r\nPassword stealing trojans are malware that quietly runs on a computer while stealing passwords, screenshots of active\r\nwindows, cookies, credit cards stored in browsers, FTP credentials, and arbitrary files decided by the threat actors.\r\nWhen installed, the malware will communicate with a Command \u0026 Control server, where it waits for commands to execute\r\nby the attacker, which could entail the running of additional malware.\r\nhttps://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nMalicious YouTube videos gone wild\r\nThreat actors have long used YouTube videos as a way to distribute malware through embedded links in video descriptions.\r\nHowever, this week has Cluster25 security researcher Frost told BleepingComputer that there has been a significant uptick\r\nin malware campaigns on YouTube pushing various password-stealing Trojans.\r\nFrost told BleepingComputer that it is likely two clusters of malicious activity being conducted simultaneously - one\r\npushing the RedLine malware and the other pushing Racoon Stealer.\r\nThe researcher said that thousands of videos and channels had been made as part of this massive malware campaign, with\r\n100 new videos and 81 channels created in just twenty minutes.\r\nFrost explained that the threat actors use the Google accounts they steal to launch new YouTube channels to spread malware,\r\ncreating a never-ending and ever-growing cycle.\r\n\"The threat actors have thousands of new channels available because they infect new clients every day. As part of these\r\nattacks, they steal victim's Google credentials, which are then used to create new YouTube Videos to distribute the\r\nmalware,\" Frost told BleepingComputer.\r\nThe attacks start with the threat actors creating numerous YouTube channels filled with videos about software cracks,\r\nlicenses, how-to guides, cryptocurrency, mining, game cheats, VPN software, and pretty much any other popular category.\r\nExample of a malicious YouTube channel\r\nThese videos contain content that explains how to perform a task using a specific program or utility. Additionally, the\r\nYouTube video's description includes an alleged link to the associated tool used to distribute the malware.\r\nhttps://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/\r\nPage 3 of 6\n\nMalicious YouTube video pushing RedLine stealer\r\nIf a video contains a bit.ly link, it will lead to another file-sharing site hosting the RedLine password-stealing malware\r\ninfection. However, if it includes an unshortened domain, it will redirect to a page on the taplink[.]cc domain to push\r\nRacoon Stealer, as shown below.\r\nLanding page for the Racoon Stealer\r\nOnce a user becomes infected, the malware will proceed to scan all installed browsers and the computer for cryptocurrency\r\nwallets, credit cards, passwords, and other data and upload it back to the attacker.\r\nGoogle told BleepingComputer that they are aware of the campaign and are taking action to disrupt the activity.\r\nhttps://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/\r\nPage 4 of 6\n\n\"We are aware of this campaign and are currently taking action to block activity by this threat actor and flagging\r\nall links to Safe Browsing. As always, we are continuously improving our detection methods and investing in new\r\ntools and features that automatically identify and stop threats like this one. It is also important that users remain\r\naware of these types of threats and take appropriate action to further protect themselves.\"  - Google.\r\nGoogle also disclosed this week a phishing campaign that distributed password-stealing trojans used to steal the accounts of\r\nYouTube Creators. These accounts were then sold on dark web markets or used to perform cryptocurrency scams.\r\nDownloading software can be dangerous\r\nThese campaigns illustrate how important it is not to download programs from the Internet haphazardly, as sites like\r\nYouTube can not vet every link added by video publishers.\r\nTherefore, a user should research a site before downloading and installing anything from it to determine if they have a good\r\nreputation and can be trusted. Even then, it is always suggested that you first upload the program to a site like VirusTotal to\r\nconfirm if it's safe to run.\r\nIf you have accidentally fallen for this attack and installed a program from a similar link, it is strongly suggested that you\r\nscan your computer with an antivirus program.\r\nAfter you have removed any malware detected in a virus scan, you should immediately change any passwords saved in your\r\nbrowsers.\r\nUpdate 10/21/21 7:28 PM EST: Added a statement from Google.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/\r\nPage 5 of 6\n\nSource: https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/\r\nhttps://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/" ], "report_names": [ "massive-campaign-uses-youtube-to-push-password-stealing-malware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434721, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/deb88b898dd2d720425d8ef6287bf0f56d4a034d.pdf", "text": "https://archive.orkl.eu/deb88b898dd2d720425d8ef6287bf0f56d4a034d.txt", "img": "https://archive.orkl.eu/deb88b898dd2d720425d8ef6287bf0f56d4a034d.jpg" } }