Wednesday, April 30, 2025
HomeCyber Security NewsNew DCRat Campaign Uses YouTube Videos to Target Users

New DCRat Campaign Uses YouTube Videos to Target Users

Published on

SIEM as a Service

Follow Us on Google News

A new campaign involving the DCRat backdoor has recently been uncovered, leveraging YouTube as a primary distribution channel.

Since the beginning of the year, attackers have been using the popular video-sharing platform to target users by creating fake or stolen accounts.

These malicious actors upload videos that appear to offer cheats, cracks, game bots, and other illicit software, enticing viewers to download these tools.

- Advertisement - Google News

However, the downloads instead contain a password-protected archive housing the DCRat Trojan.

How the Malware is Spread

The attackers post videos on YouTube with enticing titles and descriptions that advertise cheats and cracks for popular games.

Advertising cheats and cracks on YouTube
Advertising cheats and cracks on YouTube

The video descriptions include a link to a legitimate file-sharing service where the malicious software is hosted.

Once downloaded, the user finds a password-protected archive with junk files and folders designed to convince the victim that the download is legitimate. However, upon extraction, the archive reveals the DCRat backdoor alongside decoy files.

DCRat Backdoor Details

DCRat, also known as Dark Crystal RAT, is a remote access Trojan (RAT) that has been in circulation since 2018.

Archives with a sample of DCRat disguised as a cheat and crack
Archives with a sample of DCRat disguised as a cheat and crack

This malware is capable of downloading additional modules, significantly expanding its capabilities.

According to the SecureList report, Researchers have identified 34 plugins for DCRat, which include dangerous features such as keystroke recording, webcam access, file downloading, and password exfiltration. These functionalities pose a significant threat to user privacy and security.

Plugins for DCRat builder in the service of attackers
Plugins for DCRat builder in the service of attackers

To support their operations, the attackers register second-level domains, primarily in the RU zone, and create third-level domains that function as command and control (C&C) servers.

Notably, these domains often include words like “nyashka” or “nyashkoon,” terms popular in anime and manga fan communities.

Since the start of 2025, the group has registered at least 57 new second-level domains, with five of them hosting more than 40 third-level domains as C&C servers.

Victim Demographics

Based on telemetry data, Russian users have been the most affected, with DCRat samples downloaded to their devices in 80% of cases.

A smaller number of users from Belarus, Kazakhstan, and China have also encountered the malware.

Kaspersky Lab products successfully detect the DCRat samples with the verdict “Backdoor.MSIL.DCRat.”

It is crucial for users to exercise caution when downloading software, especially from untrusted sources, as this campaign illustrates the growing trend of using legitimate platforms for malicious activities.

Users are advised to download game products only from trusted sources to avoid falling victim to such malware distribution tactics.

Moreover, the involvement of password-protected archives in spreading malware highlights the sophistication and adaptability of attackers in evading detection.

Besides DCRat, other malware types such as stealers, miners, and downloaders are also distributed via similar methods, emphasizing the need for vigilance and the use of reliable security software.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...