Compromised YouTube Accounts spreading malware

Malicious campaigns increasingly leveraging YouTube as an attack vector

Cyble Research Labs (CRL) has published multiple blogs on various stealer malware and explained how stealers such as PennyWise spread through YouTube Videos. Since then, CRL has been actively monitoring these YouTube campaigns to identify the activities of Threat Actors (TAs) used to spread malware.

Our investigation indicates that the stealers such as PennyWise and RedLine are on the rise and spreading through YouTube campaigns. We have identified over 5,000 PennyWise Stealer executable samples in the last 3 months alone.

In these campaigns, the TAs post video tutorials about downloading and installing software, mostly to guide users to get paid subscriptions for free, which tricks the users into installing the malicious software.

Usually, the link to this software (which is actually malware) will be available in the YouTube video description.

The download links, in most cases, redirect to free cloud storage and file hosting services such as Mega, Mediafire, OneDrive, Discord, and Github, where the TAs have hosted malicious Windows executable files using password-protected archive files.

Based on our sample analysis, we observed that these campaigns mostly spread stealer and miner categories of malware. In this blog, we will primarily focus on the PennyWise stealer, which has been actively spreading through YouTube channels in the wild recently.

YouTube Campaign Analysis:

During our research, we identified that the TAs in the campaigns that we observed mostly target people interested in getting paid subscriptions for free such as games, programs, or anti-virus software.

To get this software for free, people usually search keywords like “software cracks,” “keygens,” etc. The users will be redirected to these YouTube videos containing the link of the malicious executable pretending to be the software they desire access to. The image below represents the results of these keyword searches from this week.

Figure 1 – YouTube Search Results

While investigating the YouTube Channel that spreads the malware, CRL observed sudden changes in the video upload frequency and the kind of videos uploaded on these YouTube channels.

This led us to suspect that the YouTube channels used for these campaigns are either compromised accounts or created specifically for the purpose of spreading stealer malware.

The image below shows an example of a compromised account where the video upload frequency in the last few hours has increased, and the video’s subject has been completely changed.

Figure 2 – Compromised YouTube Account showing change in Video Content

The image below depicts that the YouTube channel usually posts videos related to singing and fun activities, but these channels typically have thousands of subscribers and have suddenly started posting videos related to software cracks/hacks.

Figure 3 – Compromised YouTube Account

We also observed that a few compromised YouTube channels spreading PennyWise and RedLine stealer payloads had removed the videos posted by TAs, likely after realizing their accounts were compromised.

In the description of the recent videos posted on the YouTube channel shown in Figure 4, there is a software download link along with a password for the downloaded archived file.

Figure 4 – Video Description with Download Link

CRL has downloaded the file through the URL: hxxps://www.mediafire[.]com/folder/chga256moyooc/ and analyzed it.

Our observations are:

  • The file is hosted on MediaFire.
  • The executable file has the name “installer.exe,” andthe below images show downloaded files.
Figure 5 – Downloaded Files

  • Upon executing the payload, the infection starts by injecting the malicious code into a legitimate .NET binary named “AppLaunch.exe.”
Figure 6 – Executes AppLaunch.exe

  • Based on our research, the payload being delivered through this campaign is PennyWise Stealer. We observed an uptick in submissions for the same payload from various regions to VirusTotal over the last 3 days.
Figure 7 – Upticks in Sample Submissions

The above status indicates that the same video campaign is actively spreading Pennywise Stealer, and multiple victims worldwide have been compromised.


Threat Actors are continuously adopting sophisticated techniques to deliver malware. In this particular case, the TAs are using compromised Google accounts to deliver malware payloads through YouTube videos.

These compromised Google accounts can also be leveraged for other malicious purposes, such as hosting malicious data on Google Drive or can send phishing spam emails from the victim’s Gmail accounts.

Cyble Research Labs continuously monitors all new and existing campaigns to keep our readers aware and informed.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Avoid downloading pirated software from unverified sites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Keep updating your passwords after certain intervals.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Execution  T1204  User Execution  
Defense EvasionT1140
Deobfuscate/Decode Files or Information
Virtualization/Sandbox Evasion
Process Injection: Process Hollowing
Credential Access  T1555  
Credentials from Password Stores  
Steal Web Session Cookies  
Unsecured Credentials  
Steal Application Access Token  
Collection  T1113  Screen Capture  
Discovery  T1518  
Software Discovery  
System Time Discovery  
System Service Discovery  
Command and Control  T1071  Application Layer Protocol  
Exfiltration  T1041    Exfiltration Over C2 Channel  

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
a2ed077e339bdcbe11d246d850f4e6ddMD5Installer.exe (PennyWise Stealer Executable)
87ba3a160d4246183e308e89f140e2cbfe7b1ec0SHA1Installer.exe (PennyWise Stealer Executable)
21eae3e46c156b97a1ce1a37c8043524b54e5c4e92a88af4b9384694b4376f63SHA256Installer.exe (PennyWise Stealer Executable)
174faa57103851083ec20d2601765872MD5Proton VPN.exe (PennyWise Stealer Executable)
4ba676089de71f8d5f514c740c67ae42c8efba7dSHA1Proton VPN.exe (PennyWise Stealer Executable)
365ca37eea6be88172761c3597283a6518632328892a92d8ad128e64747d9f76SHA256Proton VPN.exe (PennyWise Stealer Executable)
493e993d7f583db30a460ff79e4df58bMD5Kaspersky Internet Security crack.exe (PennyWise Stealer Executable)
194ddbfbf5817cf1a998756e94c7c8a764ccf242SHA1Kaspersky Internet Security crack.exe (PennyWise Stealer Executable)
cb8afc5d4fa94e09bdf9a9fdcfc671f8e8290dd7cd4d0c0c3abce8539af4a702SHA256Kaspersky Internet Security crack.exe (PennyWise Stealer Executable)
49b3e116466dcb31d15a085c2293d478MD5installer.exe (PennyWise Stealer Executable)
04d6f3c119df0b37aa03d1b7ae2fb7e6847cf57cSHA1installer.exe (PennyWise Stealer Executable)
9ed7186aa38ea46cca24572c612363a73ee88b05f469c7978d2666a85d9fda2eSHA256installer.exe (PennyWise Stealer Executable)
a74bd4fb84febbb2021f611ffdd6c74fMD5setup.exe (RedLine Stealer Executable)
b7019ccc1cf25ac94729fbb29680019f4185f9e4SHA1setup.exe (RedLine Stealer Executable)
93989c2ff3afcea9b5f042c28a32160f8c3d14580ee7183a216efa781a1df2dbSHA256setup.exe (RedLine Stealer Executable)
31.222.238[.]56IPC2 server of Redline stealer
hxxp://144.91.110[.]55:27571/IPC2 server of Redline stealer

Comments are closed.

Scroll to Top