Massive YouTube Campaign Targeting Over 100 Applications to Deliver Info Stealer

Threat Actors Create Phishing Websites for Mass Infection

Cyble Research & Intelligence Labs (CRIL) identified massive phishing campaigns running on YouTube as tutorials for downloading and installing cracked software, Games for free.

The video tutorial tricks the users into installing Information stealer from the link given in the video description and lures them into believing it is a crack for their desired software.

We have seen many similar campaigns in the past, downloading Pennywise and Redline stealer. In these types of campaigns, the Threat Actor (TA) usually hosts the malicious file in the free file hosting platform.

Still, in this case, the TA has created phishing pages mimicking legitimate websites that provide service to users for downloading various software, games, and other tools.

Going through the different campaigns, we identified several phishing websites mentioned in the video description. The TA has created phishing pages to increase the chances of successful infection. Also, the impact of this campaign can be calculated based on the number of views on each video posted. The maximum number of views we observed on a single video is 18k, indicating the campaign is widespread.

Figure 1 – Views on Videos

The below image depicts the comments in the YouTube videos. Similar comments from different YouTube videos conclude that the TA adds these to convince users to think this software is legitimate.

Figure 2 – Comments in the Videos

YouTube Campaigns Analysis:

During our research, we observed that the TA responsible for running these campaigns primarily targets people looking to get paid software for free such as games, programs, etc. To get this software for free, people usually search keywords like “software cracks,” “keygens,” etc. The search result of these keywords redirects users to these YouTube videos, guiding them to install malicious executables pretending to be the software they wanted to install.

Campaign 1

The below image depicts a website hosted on the URL: hxxps://teensoft[.]org/, which is being used by the YouTube video campaign to deliver Info stealer. The website delivers Vidar stealer malware posing as legitimate applications such as MS Office, Spotify Premium 2022, Adobe software, etc.

Figure 3 – Website Delivering Vidar Stealer

Campaign 2

The image below showcases a website hosted on the URL: hxxps://wh1tesoftware[.]me/, which is used by the malicious YouTube video campaign to deliver stealer malware.   

The website’s catalog contains various malicious software hosted with legitimate names, such as MS Office, CCleaner PRO, AutoCAD, and Adobe software, which are distributed to target users. Behind these names, the website delivers Vidar stealer.

Figure 4 – Website Delivering Vidar Stealer

Campaign 3

The below figure showcases a website hosted on the URL: hxxps://soft-exp[.]org/, which is being used by the YouTube video campaign to deliver malicious files. The website targets more than 100 applications that come under the categories of games, crack software, plugins, Roblox scripts, and cheats to lure users into installing info stealers on the user’s machine. These websites deliver RecordBreaker stealer.

Figure 5 – Website Delivering RecordBreaker Stealer

Campaign 4

The figure below showcases a website hosted on the URL: hxxps://appshigha[.]com/, which is used by the malicious YouTube video campaign to deliver malicious programs.

On the website, software such as Sapphire Plugin, Twixtor Plugin, Valorant Hack, GTA Online Mod Menu, MS Office, CCleaner PRO, and AutoCAD are listed and available for download. When the users try to download the software, a payload of RecordBreaker stealer is executed silently in the background.

Figure 6 – Website Delivering RecordBreaker Stealer

The below table shows the list of software targeted by the TAs to deliver stealers.

Wondershare Filmora  Driver Booster PRO  CCleaner Professional  FL Studio  
iCloud Bypass iOS 15  Lumion 12 Pro  Sketchup  Bandicam  
Voicemod Pro  Sony Vegas Pro 19  AutoCAD  3ds Max        
Adobe Illustrator  Adobe XD  Adobe After Effects  Adobe Photoshop  
Adobe Acrobat  Adobe InDesign  DaVinci Resolve  Movavi Video Editor  
Ableton Live  

The below table shows the list of gaming software the TA claims to deliver for free to infect users.  

Valorant  Hack  GTA Online Mod Menu  Fortnite Hack  Fortnite Skin Changer  Genshin Impact Hack  
Warzone Hack  Rust Hack  Spider-Man Remastered  Synapse X Hack  NBA 2K23  
Marvel’s Spider-Man  F1 Manager  Saints Row  Elden Ring  Dying Light 2  
Wanderer Download  Expeditions Rome  Blackwind Download  Tom Clancy’s Rainbow Six Extraction  Aery – Dreamscape  
Monster Hunter Rise  The Kids We Were  God of War  Weird West  Far Cry 6  

The below table shows the list of ROBLOX scripts targeted by the YouTube campaign. We have mentioned only 25 targeted ROBLOX script names here.

Tatakai V.2  Project Slayers  Limited Words  PLS STEAL  Gumball Factory Tycoon  
Apocalypse Rising 2  Viet Nam Piece  Mining Clicker Simulator  Your Bizarre Adventure  Legend Piece  
Anime World Tower Defense  Pet Posse Script  Anime Adventures  Bid Battles  Bid Battles  
Raise A Floppa  ARCH PIECE  Combat Warriors  Telekinesis  Lumber Tycoon  
Decaying Winter  Anime Battle Simulator  Anime Sword Simulator  World Of Stands  Prison Life

The below table shows the list of cheats and plugins targeted.


Download Kiddions Modest Menufree-rust-hack-download


Sapphire Plugin  Twixtor Plugin  

Most of the binaries hosted on these phishing sites act as either downloaders or droppers for the stealer payload. The malware infection happens in multiple stages and at the end, executes the stealer payload. These stealers mainly exfiltrate sensitive user data such as cookies, system information, login credentials, etc. to their Command and Control (C&C) server.

This exfiltrated data is referred to as Stealer Logs , which are usually sold on cybercrime marketplaces and can be leveraged by other TAs to target individuals or get into corporate networks. The phishing campaign discussed in this blog was mainly distributing Vidar and RecordBreaker stealer.

Vidar Stealer

Vidar InfoStealer is based on C/C++ programming language. The Vidar malware family, which was first identified in 2018, can steal sensitive data from the victim’s PC. This includes banking information, saved passwords, IP addresses, browser history, login credentials, and crypto wallets, which can then be transferred to the TAs Command and C&C. We witnessed in past also where TAs used delivery mechanisms such as spam mail, cracked software, keygens, etc. to distribute this malware.

RecordBreaker Stealer

RecordBreaker stealer is suspected to be a recent version of the Raccoon stealer, which was spotted in the wild in 2022. While executing, this stealer performs several GET\POST requests with Command and Control (C&C) Server. Initially, it fetches the configuration and DLLs and then exfiltrates the victim’s data to C&C using a POST request. The stealer can also deliver other malware payloads based on the configuration’s settings. The figure below shows the stealer receiving configuration file.

Figure 7- RecordBreaker Configuration File


Threat Actors are constantly enhancing their techniques to deliver malicious programs. In this particular case, the TA uses YouTube channels to spread malicious payloads hosted on phishing websites. This campaign primarily leverages YouTube videos (with step-by-step tutorials) to trick users into installing malicious programs on their systems. CRIL has been observing increasing trends in social media scams of late.  

Cyble Research and Intelligence Labs’ mission is to continuously monitor and alert our audience to high-tech cyber scams and protect our clients in cyberspace by supporting them in achieving their goals.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Avoid downloading pirated software from unverified sites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Keep updating your passwords after certain intervals.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TA.  
  • Enable Data Loss Prevention (DLP) Solutions  organization wide. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Execution  T1204  User Execution  
Defense EvasionT1140
Deobfuscate/Decode Files or Information
Virtualization/Sandbox Evasion
Process Injection: Process Hollowing
Credential Access  T1555  
Credentials from Password Stores  
Steal Web Session Cookies  
Unsecured Credentials  
Steal Application Access Token  
Collection  T1113  Screen Capture  
Discovery  T1518  
Software Discovery  
System Time Discovery  
System Service Discovery  
Command and Control  T1071  Application Layer Protocol  
Exfiltration  T1041    Exfiltration Over C2 Channel  

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
Campaign 2: Vidar Stealer
hxxp:// 2: C&C 2 C&C
Campaign 1: Vidar Stealer
hxxp:// 1 C&C
hxxp:// 1 C&C
Campaign 3 RecordBreaker stealer
hxxp:// 3 Malicious URI
hxxp:// 3 C&C
Campaign 4 RecordBreaker stealer
hxxp://146.70.86[.]136 Campaign 4 C&C

Comments are closed.

Scroll to Top