YouTube Videos Deliver Malware

Threat actors hunt for ways to exploit vulnerabilities by employing tactics from technical zero-days to broad phishing. 

Social engineering blends with commodity malware on high-traffic sites, like social media, that allows quick, cheap, and widespread attacks. 


Despite seeming trivial, these infections, such as AI-generated videos on YouTube offering malware disguised as cracked software, pose significant risks to users and organizations.

Infection flow (Source – Cybereason)
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Malware Via YouTube Videos

The attacker seizes control of inactive YouTube channels using leaked old credentials. Then, they upload a distinct short video that differs from the channel’s previous content by enticing victims with promises of cracked software, reads Cyberreason report.

Example Of Uniform Uploads Across Channels (Source – Cybereason)

An account focused on rap music till 2021 suddenly shared a cracked Adobe Animate version in August 2023. Experts notice the consistent layout of thumbnails and titles. 

Videos use AI-generated content, mixing voice-to-text and text on animated backgrounds. Audience size varies from zero to over a hundred thousand subscribers.

Compromised Account With Large Following (Source – Cybereason)

Threat actors boost video requests with tricks like SEO poisoning, adding tons of tags related to cracked software searches. Tags even match the languages of targeted regions by hinting at localized attack campaigns.

Tags Used For SEO Poisoning (Source – Cybereason)

Threat actors manipulate video comments for trust by using compromised accounts or disabling comments to trap victims. 

Videos guide to a description with a link to alleged cracked software that accesses passwords and masks URLs via link shorteners like Rebrandly or Bitly. 

The malicious payload on file-sharing or compromised sites infects victims who download thinking it’s legit.

Infostealers & Malware obersved

Here below, we have mentioned all the types of info stealers and malware that are observed:-

  • Redline
  • Raccoonstealer
  • Tropicraked

The latest video promises Microsoft Office crack, uploaded 13 days ago. The description has a Rebrandly link with a password, and the link redirects to the Telegraph URL by hiding the actual download link. 

Telegraph allows anonymous publishing, and the timestamp indicates activity since November 24, 2022; the link leads to MediaFire hosting Setup (PA$S 5577).rar. 

Mediafire Download Link (Source – Cybereason)

While the password needed to decompress the rar file and the Setup.exe claims to be a Makedisk product, but analysis confirms it’s malicious.

The file’s metadata reveals it’s a Smart Assembly .NET-obfuscated .NET binary with a compile date of August 30, 2023. Tools like de4dot and dnSpy are needed for static analysis. 

The VirusTotal flags it as Redline, but Setup.exe executes it by triggering vbc.exe. Vbc.exe connects to a Finland-based IP ( which was flagged as a Redline C2 server.

Attack Tree (Source – Cybereason)

Cybereason detects a Malicious Operation (MalOp) with potential credential theft and data exfiltration. A successful Redline infection grants the threat actor access by allowing further exploitation and lateral movement within the network.

TropiCracked efficiently exploits a cost-effective infrastructure using YouTube, Telegraph, and Mediafire for broad access. 

The attack, by leveraging compromised YouTube accounts, Redline access, and Google Dorking, targets over 800 accounts with minimal cost and technical skill.

Despite social media efforts, individuals and organizations must secure endpoints against such attacks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.