Tuesday, May 6, 2025
HomeCyber Security NewsHackers Exploiting YouTube to Spread Malware That Steals Browser Data

Hackers Exploiting YouTube to Spread Malware That Steals Browser Data

Published on

SIEM as a Service

Follow Us on Google News

Malware actors leverage popular platforms like YouTube and social media to distribute fake installers. Reputable file hosting services are abused to host malware and make detection challenging. 

Password protection and encoding techniques further complicate analysis and evade early sandbox detection. Once a system is compromised, malware can steal sensitive data from web browsers by exploiting credential storage mechanisms. 

URL hosted in YouTube’s comment section
URL hosted in YouTube’s comment section

Info stealers are distributed through deceptive tactics such as fake software installers, whose download links can be found on fake websites or social media platforms. 

- Advertisement - Google News

One common technique is for malicious actors to pose as helpful guides on video-sharing platforms and trick users into clicking on links in the description or comments that lead to download pages for the fake installers. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

File hosting services such as Mediafire and Mega.nz are also used to obscure the download source and make detection more difficult. Info stealers can be disguised as cracked software, appearing in search engine results when users look for pirated software.

Download link of a fake installer hosted in media sharing site
Download link of a fake installer hosted in media sharing site

An analysis revealed an adversary leveraging various platforms to distribute malicious software that include OpenSea (an NFT marketplace), SoundCloud (a music-sharing platform), and potentially others. 

The attackers employed techniques such as shortened links (likely to evade scraping and analysis) and password-protected downloads (to hinder initial sandbox analysis). 

Following the deobfuscation of a batch file, an AutoIt script was constructed and run after it was triggered by the execution of a large installer that was 900 megabytes in size. 

Other entries in the same account showing potential hosted fake installers
Other entries in the same account showing potential hosted fake installers

The script dropped files, injected code into legitimate binaries, and stole browser credentials by leveraging DGA to communicate with its command-and-control servers, demonstrating its ability to evade detection and maintain persistence.

A trojanized installer disguised as legitimate remote desktop software (rustdesk.exe) is downloaded from a known file hosting site. The user unpacks the file with a password and executes the installer. 

The installer injects malicious code into legitimate processes (more.com, StrCmp.exe, SearchIndexer.exe, and explorer.exe) to evade detection and drops additional malware. 

It also creates autorun registry entries and scheduled tasks to ensure persistence and communicates with the C&C server to download more malware. 

Injected explorer connecting to C&C address
Injected explorer connecting to C&C address

According to Trend Micro, the campaign leverages a diverse arsenal of info stealers (LUMMASTEALER, PRIVATELOADER, MARSSTEALER, AMADEY, PENGUISH, VIDAR) to evade detection. 

Attackers employ various tactics, including utilizing large files to bypass sandbox analysis, encrypting payloads with password-protected ZIP archives to hinder content scanning, and distributing malware through legitimate file-sharing platforms and shortened URLs to impede proactive detection. 

To combat evolving social engineering threats and advanced evasion tactics like DLL sideloading, process injection, and file obfuscation, organizations must implement a multi-layered defense. 

It includes user education to recognize and avoid phishing attempts, continuous threat hunting to proactively identify and respond to emerging threats, and leveraging an MSSP for expert threat intelligence and managed security services. 

By combining these measures with proactive monitoring and advanced detection capabilities, organizations can enhance their security posture and minimize the impact of sophisticated cyberattacks.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

DragonForce Ransomware Targets Major UK Retailers, Including Harrods, Marks & Spencer, and Co-Op

Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant...

OpenAI Shifts For-Profit Branch to Public Benefit Corporation, Staying Under Nonprofit Oversight

Landmark organizational shift, OpenAI announced its transition from a capped-profit LLC to a Public...

Google’s NotebookLM Introduces Voice Summaries in Over 50 Languages

Google has significantly expanded the capabilities of NotebookLM, its AI-powered research tool, by introducing...

Android Security Update -A Critical RCE Vulnerability Actively Exploited in the Wild 

Google has released critical security patches for Android devices to address 57 vulnerabilities across...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

DragonForce Ransomware Targets Major UK Retailers, Including Harrods, Marks & Spencer, and Co-Op

Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant...

OpenAI Shifts For-Profit Branch to Public Benefit Corporation, Staying Under Nonprofit Oversight

Landmark organizational shift, OpenAI announced its transition from a capped-profit LLC to a Public...

Google’s NotebookLM Introduces Voice Summaries in Over 50 Languages

Google has significantly expanded the capabilities of NotebookLM, its AI-powered research tool, by introducing...