• The Register
Carly Page
Thu 23 Oct 2025 //
Google has taken down thousands of YouTube videos that were quietly spreading password-stealing malware disguised as cracked software and game cheats.
Researchers at Check Point say the so-called "YouTube Ghost Network" hijacked and weaponized legitimate YouTube accounts to post tutorial videos that promised free copies of Photoshop, FL Studio, and Roblox hacks, but instead lured viewers into installing infostealers such as Rhadamanthys and Lumma.
The campaign, which has been running since 2021, surged in 2025, with the number of malicious videos tripling compared to previous years. More than 3,000 malware-laced videos have now been scrubbed from the platform after Check Point worked with Google to dismantle what it called one of the most significant malware delivery operations ever seen on YouTube.
Check Point says the Ghost Network relied on thousands of fake and compromised accounts working in concert to make malicious content look legitimate. Some posted the "tutorial" videos, others flooded comment sections with praise, likes, and emojis to give the illusion of trust, while a third set handled "community posts" that shared download links and passwords for the supposed cracked software.
"This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe," said Eli Smadja, security research group manager at Check Point. "What looks like a helpful tutorial can actually be a polished cyber trap. The scale, modularity, and sophistication of this network make it a blueprint for how threat actors now weaponise engagement tools to spread malware."
Once hooked, victims were typically instructed to disable antivirus software, then download an archive hosted on Dropbox, Google Drive, or MediaFire. Inside was malware rather than a working copy of the promised program, and once opened, the infostealers exfiltrated credentials, crypto wallets, and system data to remote command-and-control servers.
One hijacked channel with 129,000 subscribers posted a cracked version of Adobe Photoshop that racked up nearly 300,000 views and more than 1,000 likes. Another targeted cryptocurrency users, redirecting them to phishing pages hosted on Google Sites.
As Check Point tracked the network, it found the operators frequently rotated payloads and updated download links to outpace takedowns, creating a resilient ecosystem that could quickly regenerate even when accounts were banned.
Check Point says the Ghost Network's modular design, with uploaders, commenters, and link distributors, allowed campaigns to persist for years. The approach mimics a separate operation the firm has dubbed the "Stargazers Ghost Network" on GitHub, where fake developer accounts host malicious repositories.
While most of the malicious videos pushed pirated software, the biggest lure was gaming cheats – particularly for Roblox, which has an estimated 380 million monthly active players. Other videos dangled cracked copies of Microsoft Office, Lightroom, and Adobe tools. The "most viewed" malicious upload targeted Photoshop, drawing almost 300,000 views before Google's cleanup operation.
The surge in 2025 marks a sharp shift in how malware is being distributed. Where phishing emails and drive-by downloads once dominated, attackers are now exploiting the social credibility of mainstream platforms to bypass user skepticism.
"In today's threat landscape, a popular-looking video can be just as dangerous as a phishing email," Smadja said. "This takedown shows that even trusted platforms aren't immune to weaponization, but it also proves that with the right intelligence and partnerships, we can push back."
Check Point doesn't have concrete evidence as to who is operating this network. It said the primary beneficiaries currently appear to be cybercriminals motivated by profit, but this could change if nation-state groups use the same tactics and video content to attract high-value targets.
The YouTube Ghost Network's rise underscores how far online malware peddlers have evolved from spammy inbox bait. The ghosts may have been exorcised this time, but with engagement now an attack vector, the next haunting is only ever a click away.
bleepingcomputer.com
by Sergiu Gatlan
September 23, 2025
SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.
SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.
"SonicWall SMA 100 10.2.2.2-92sv build has been released with additional file checking, providing the capability to remove known rootkit malware present on the SMA devices," the company said in a Monday advisory.
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version."
The update follows a July report from researchers at the Google Threat Intelligence Group (GTIG), who observed a threat actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices that will reach end-of-support next week, on October 1, 2025.
OVERSTEP is a user-mode rootkit that enables attackers to maintain persistent access by using hidden malicious components and establishing a reverse shell on compromised devices. The malware steals sensitive files, including the persist.database and certificate files, providing hackers with access to credentials, OTP seeds, and certificates that further enable persistence.
While the researchers have not determined the goal behind UNC6148's attacks, they did find "noteworthy overlaps" with Abyss-related ransomware incidents.
For instance, in late 2023, Truesec investigated an Abyss ransomware incident in which hackers installed a web shell on an SMA appliance, enabling them to maintain persistence despite firmware updates. In March 2024, InfoGuard AG incident responder Stephan Berger reported a similar SMA device compromise that also resulted in the deployment of Abyss malware.
"The threat intelligence report from Google Threat Intelligence Group (GTIG) highlights potential risk of using older versions of SMA100 firmware," SonicWall added on Monday, urging admins to implement the security measures outlined in this July advisory.
Last week, SonicWall warned customers to reset credentials after their firewall configuration backup files were exposed in brute-force attacks targeting the API service for cloud backup.
In August, the company also dismissed claims that the Akira ransomware gang was hacking Gen 7 firewalls using a potential zero-day exploit, clarifying that the issue was tied to a critical vulnerability (CVE-2024-40766) that was patched in November 2024.
The Australian Cyber Security Center (ACSC) and cybersecurity firm Rapid7 later confirmed that the Akira gang is exploiting this vulnerability to target unpatched SonicWall devices.
hackernoon.com - Moonlock analysed Mac.c stealer, a new rival to AMOS. Learn its tactics, code reuse, and "building in public" strategy.
The story of the Mac.c stealer doesn’t begin with a major campaign or breach. It starts in the hushed corners of darknet forums, where a threat actor named 'mentalpositive' first emerged, drawing attention with a set of unusual traits that set him apart from other stealer developers.
Moonlock, the cybersecurity division of MacPaw, has been tracking mentalpositive for the past four months. We can already see that it is a new actor taking advantage of a macOS malware market that remains far less saturated than its Windows counterpart, marking the rise of the new wave of threat actors who are both technically skilled and commercially ambitious.
Although only recently active, Mac.c is already competing with larger, more established stealer operations like Atomic macOS Stealer. While it borrows heavily from AMOS and Rodrigo4 malware, it's tailored for quicker, high-impact data theft. As more URLs are added to its command-and-control infrastructure, Mac.c appears to be part of a larger underground ecosystem targeting macOS users.
What also stands out is a methodical and unusually transparent approach to building in public. 'mentalpositive' shared progress updates and even collected feedback on Mac.c builds — a surprising level of openness in the typically secretive world of macOS malware development.
In this article, we trace the evolution of Mac.c, unpack mentalpositive’s tactics, and examine how this stealer fits into the broader landscape of threats targeting Apple platforms.
A new player on the market
About four months ago, Moonlock Lab first noticed the emergence of the Mac.c stealer and attributed it to a developer under the alias 'mentalpositive'. This threat actor was one of many new players entering the macOS malware market, a space still far less crowded than the Windows-targeting malware industry.
Similar to other threat actors, 'mentalpositive' adopts recent trends in malware development: modular architecture for use across different campaigns, advanced obfuscation techniques, and increasingly complex command-and-control (C2) infrastructures.
However, the target profile and data exfiltration scope of mentalpositive’s Mac.c stand out. It harvests iCloud Keychain credentials, browser-stored passwords, crypto wallets, system metadata, and even files from specific locations on macOS — all using credentials obtained through phishing. By relying on standard system APIs and staged communication methods, it evades many traditional endpoint defences.
Building in public
Beyond technical design, 'mentalpositive' exhibited unusual behavior across darknet forums. Over the span of several months, this threat actor used one underground forum to showcase incremental updates to Mac.c, engage with potential users, and actively solicit feedback.
Such publicity may signal an intent to raise visibility and carve out a distinct market presence. It also appears to lay the groundwork for a custom stealer-as-a-service business model aimed squarely at the macOS threat niche.
The screenshots below show how the forum posts evolved over time as new features were announced. Since the original posts were written in Russian, we’ve included a brief explanation for each. The first screenshot shows an early advertisement offering a subscription to stealer updates for $1,500 per month.
bleepingcomputer.com - The Lumma infostealer malware operation is gradually resuming activities following a massive law enforcement operation in May, which resulted in the seizure of 2,300 domains and parts of its infrastructure.
Although the Lumma malware-as-a-service (MaaS) platform suffered significant disruption from the law enforcement action, as confirmed by early June reports on infostealer activity, it didn't shut down.
The operators immediately acknowledged the situation on XSS forums, but claimed that their central server had not been seized (although it had been remotely wiped), and restoration efforts were already underway.
Gradually, the MaaS built up again and regained trust within the cybercrime community, and is now facilitating infostealing operations on multiple platforms again.
According to Trend Micro analysts, Lumma has almost returned to pre-takedown activity levels, with the cybersecurity firm's telemetry indicating a rapid rebuilding of infrastructure.
"Following the law enforcement action against Lumma Stealer and its associated infrastructure, our team has observed clear signs of a resurgence in Lumma's operations," reads the Trend Micro report.
"Network telemetry indicates that Lumma's infrastructure began ramping up again within weeks of the takedown."
North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations.
Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.
The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff.
Advanced macOS malware
In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice."
One of the Nim-compiled binaries, 'installer', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries - 'GoogIe LLC,' 'CoreKitAgent', onto the victim's system.
GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages.
The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution.
It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions.
The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.
Suspected cybercriminals have created a fake installer for Chinese AI model DeepSeek-R1 and loaded it with previously unknown malware called "BrowserVenom".
The malware’s name reflects its ability to redirect all traffic from browsers through an attacker-controlled server.
This enables the crooks to steal data, monitor browsing activity, and potentially expose plaintext traffic. Credentials for websites, session cookies, financial account info, plus sensitive emails and documents are therefore all at risk – just the sort of info scammers seek so they can commit digital fraud and/or sell to other miscreants.
To date, the malware has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky, which spotted a phishing campaign that spreads the malware by sending victims to a fake website that resembles the real DeepSeek homepage, said it continues to "pose a global threat.”
While the malware used in this campaign is new, the tactic of using interest in AI to spread nasty payloads is increasingly common.
Such campaigns use phishing sites whose domain names differ slightly from those operated by real AI vendors, and criminals use malicious ads and other tactics, so they appear prominently in search engine results. But instead of delivering the promised chatbot or AI tool, they infect unwitting victims with everything from credential- and wallet-stealing malware to ransomware and Windows-borking code.
This campaign used the URL https[:]//deepseek-platform[.]com.
The crims promoted that address to many potential victims by buying ads from Google, so it appeared as the top result when users searched for "deepseek r1".
Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.
During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:
The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:
nginx: Trojan.Linux.Agent.gen;
Dero crypto miner: RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.
The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.
After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. SVG is an XML-based vector image file format commonly used for icons, logos, charts, and graphs, and it allows the use of CSS and JS scripts within the code. In November 2024, the ASEC Blog introduced SVG […]
Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.
While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts.
Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog.
The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign.
Key outcomes of this analysis include:
Examination and technical analysis of a lesser known phishing campaign
Demonstration of Telegram API-based data interception techniques
Collection of threat intelligence (TI) indicators to help identify the actor
Recommendations for detecting this type of threat
When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems.
The printer company Procolored assured him at first that these were false positives. Nevertheless, Cameron turned to Reddit in the hopes of finding a professional malware analyst who can figure out the truth.
All these software downloads are available on mega.nz with a different mega folder link for each product. Overall, there are 8 GB of files and archives for all six products. Most files were last updated in October 2024, which is six months ago at the time of writing.
Malware Analysis Report - LockBit Ransomware v4.0
In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme.
This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families.
As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Learn more about this malware targeting these devices.
This report details a newly identified and active fraud campaign, highlighting the emergence of sophisticated mobile malware leveraging innovative techniques:
Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.
In the past months Microsoft has seen multiple campaigns involving Node.js to deliver malware and other malicious payloads.
Microsoft on Tuesday issued a warning over the increasing use of Node.js for the delivery of malware and other malicious payloads.
The tech giant has been seeing such attacks aimed at its customers since October 2024 and some of the observed campaigns are still active in April 2025.
Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques.
OUTLAW is a persistent yet unsophisticated auto-propagating coinminer package observed across multiple versions over the past few years [1], [2], [3], [4]. Despite lacking stealth and advanced evasion techniques, it remains active and effective by leveraging simple but impactful tactics such as SSH brute-forcing, SSH key and cron-based persistence, and manually modified commodity miners and IRC channels. This persistence highlights how botnet operators can achieve widespread impact without relying on sophisticated techniques.
New malware targets Apache Tomcat servers, hijacking resources through stealthy payloads & lateral movement. What to watch for to protect your workloads
Hidden malware strikes WordPress mu-plugins. Our latest findings reveal how to safeguard your site against these threats.
