Hackers hijack YouTube channels to steal your data


Cybercriminals are increasingly using YouTube, a platform loved by millions, to launch sophisticated malware attacks.

These threat actors exploit the perception of free software and video game enhancements and target unsuspecting users, particularly the younger demographic, to steal sensitive personal information.

At the heart of this cyber threat are seemingly innocuous YouTube videos that offer pirated software and video game cracks.

These videos, which often serve as helpful guides on downloading free software or updating games, contain links in their descriptions that lead directly to malware.

Proofpoint Emerging Threats, a leading cybersecurity company, has identified several cases where popular children's games were used as bait and their inability to detect malicious content was exploited.

A verified YouTube account with a large following is suspected to have been compromised.


Run the free ThreatScan on your mailbox

Trustifi's advanced threat protection prevents the broadest range of sophisticated attacks before they reach a user's inbox. Try Trustifi Free Threat Scan with sophisticated AI-powered email protection.

Compromised Accounts: A Disguised Threat

Many YouTube accounts that distribute these malicious videos appear to have been compromised or taken over by legitimate users.

Proofpoint's investigation found that accounts with significant subscriber numbers and verified status are being used to distribute malware.

These accounts had unusual activity patterns, such as: Such as long pauses between video uploads and a sudden change in the language and content of the videos, indicating a possible compromise.

Screenshot of a suspected compromised YouTube account that spreads malware and compares upload data.

The mechanisms of malware distribution

Videos often contain links to password-protected files on platforms like MediaFire. These files contain executable files that, once executed, deliver malware to the victim's device.

One such malware identified is Vidar Stealer, which is known to extract sensitive data such as credit card information and cryptocurrency wallets.

The video description contains a MediaFire URL that leads to Vidar Stealer.

To add to the complexity, some videos impersonate well-known figures in the software piracy community, such as Empress.

These videos promise legitimate cracked content and further trap users. The distribution of these links on social media platforms like Telegram adds another layer of authenticity to the scam.

Telegram link from Empress video.

Evade detection

The malware files are designed to evade antivirus detection by containing large amounts of padding, making them too large for many scanning tools.

Additionally, the malware's use of social media and community forums for command and control (C2) statements allows it to blend into regular network traffic, making detection difficult.

Repeated bytes identified in a hex editor.

Discord: A new frontier for malware distributionN

A novel approach observed by Proofpoint involves using Discord servers to distribute malware.

These servers host files related to various video games, including instructions on how to disable antivirus software to make downloading easier, putting users even more at risk.

This increase in cybercriminal activity on YouTube highlights the need for increased sensitivity and caution among users.

Although YouTube has proactively removed the reported accounts, the complexity and variety of these attacks pose a significant challenge.

Users should remain skeptical of offers that seem too good to be true and exercise caution when downloading files from the Internet.

Stay up to date with cybersecurity news, white papers and infographics. Follow us on LinkedIn & Twitter.