top of page
Search

YouTube Ghost Network: Unraveling the GachiLoader Malware Hiding in Video Links

  • Dec 19, 2025
  • 2 min read

Key Findings:


  • A massive network of compromised YouTube accounts is being weaponized to spread a sophisticated new threat, turning the popular video platform into a launchpad for data theft.

  • The campaign, dubbed the "YouTube Ghost Network," leverages malicious videos promoting "cracked" software, trainers, or cheats to lure users into downloading a new, heavily obfuscated JavaScript malware loader called GachiLoader.

  • GachiLoader is written in Node.js and deploys a second-stage component called Kidkadi, which employs a "novel technique for Portable Executable (PE) injection" to execute under the radar of many endpoint protection systems.

  • GachiLoader acts as a bridge, paving the way for the final payload: Rhadamanthys, a notorious information stealer designed to harvest credentials and sensitive data from infected machines.


Background


The "YouTube Ghost Network" isn't a new phenomenon, but its latest evolution is particularly dangerous. Attackers hijack legitimate YouTube accounts to upload videos promoting "cracked" software, trainers, or cheats. These videos contain links to external file hosting platforms where the malware awaits.


GachiLoader: A Sophisticated Malware Loader


The star of this malicious show is GachiLoader, a new loader written in Node.js. Unlike typical binary malware, this script-based threat uses heavy obfuscation to hide its true intent. Once executed, GachiLoader acts as a bridge, paving the way for the final payload: Rhadamanthys, a notorious information stealer.


What makes GachiLoader stand out is its method of deployment. The malware deploys a second-stage component called Kidkadi, which employs a "novel technique for Portable Executable (PE) injection". Instead of using standard injection methods that security tools often flag, Kidkadi takes a devious route by loading a legitimate DLL and abusing Vectored Exception Handling to replace it on-the-fly with a malicious payload.


Analyzing Obfuscated Malware


Analyzing obfuscated Node.js malware is notoriously tedious. To combat this, Check Point Research developed a new tool to help analysts cut through the noise.


Persistent Threats and Caution Advised


While YouTube and security vendors work to dismantle these networks, the "Ghost Network" proves that on the internet, phantoms are persistent. Users are urged to be skeptical of "too good to be true" offers on YouTube, especially those promising free access to paid software.


Sources


  • https://securityonline.info/youtube-ghost-network-the-new-gachiloader-malware-hiding-in-your-favorite-video-links/

  • https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page