Saturday, May 25, 2024

Threat Actors Deliver Malware via YouTube Video Game Cracks

Threat actors target home users with information-stealing malware like Vidar, StealC, and Lumma Stealer, which disguises the malware as pirated software and video game cracks in YouTube videos. 

The videos appear to instruct users on obtaining free software or game upgrades. Still, a link in the description leads to malware, where the attackers compromise legitimate accounts or create new ones specifically to distribute the malware. 

An example of a verified YouTube account with a large following, suspected to be compromised. 
An example of a verified YouTube account with a large following, is suspected to be compromised. 

The method is concerning because it targets younger users with games popular among children, who are less likely to recognize malicious content, as over two dozen such accounts and videos have been identified and reported to YouTube for takedown. 

Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

A verified YouTube channel had found a history of Thai content that abruptly switched to posting English videos with malicious links. 

Screenshot of a suspected compromised YouTube account distributing malware, comparing upload dates. 
Screenshot of a suspected compromised YouTube account distributing malware, comparing upload dates. 

The new videos, likely boosted by bots for legitimacy, offered pirated software and character enhancements for popular video games, whose descriptions contained links to password-protected archives (e.g., “Setup_Pswrd_1234.rar”) that deployed Vidar Stealer malware upon execution. 

Screenshot of a video description that includes instructions to disable antivirus. 
Screenshot of a video description that includes instructions to disable antivirus. 

Fake comments further bolstered the legitimacy of the malicious content, which included instructions to bypass antivirus software, highlighting the social engineering tactics employed by the attackers.  

Proofpoint found videos promoting fake Empress cracks for League of Legends, including instructions to download a RAR archive containing a malicious executable named “empress.exe” from a suspicious URL and used visual instructions to trick users into installing Vidar Stealer malware disguised as a game crack. 

Telegram link from Empress video. 
Telegram link from Empress video. 

Malware details with Command and Control Activity 

Malicious actors are distributing Vidar malware through YouTube videos containing links to password-protected, compressed executables hosted on MediaFire. 

Repeating bytes identified in a hex editor.  
Repeating bytes identified in a hex editor.  

The executables contain padding to bypass antivirus scanners and appear larger than they are, while Vidar retrieves its command and control instructions from social media accounts, including Telegram, Steam Community, and Tumblr. 

Vidar Stealer C2 check-in PCAP.  
Vidar Stealer C2 check-in PCAP.  

Accounts are identifiable by usernames containing alphanumeric characters followed by an IP address, which allows Vidar to blend in with regular network traffic. 

The link leads to a Discord post from the threat actor. 
The link leads to a Discord post from the threat actor. 

A malware distribution campaign targeted gamers as actors compromised YouTube accounts and used video descriptions to distribute Discord server links. 

List of “supported” games. 
List of “supported” games. 

The Discord server offered various game-specific malware disguised as cheats, in which downloaded files like “” contained Lumma Stealer malware. At the same time, the campaign exemplifies a broader trend of information-stealing distribution via YouTube. 

Similarities in video content, delivery methods, and target audience (non-enterprise users) suggest a single actor or a group of collaborators. 

The provided indicators of compromise (IOCs) suggest a recent Lumma and Vidar malware campaign, where Lumma files (spoofer.exe, bypasser.exe) were disguised as legitimate applications (VALORANT.exe). 

Vidar used social engineering tactics, using a Steam profile and Telegram channel as C2 servers. Both malware families have been active since February 2024, and new samples appeared in March.  

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles