Threat actors target home users with information-stealing malware such as Vidar, StealC, and Lumma Stealer, disguising the malware as pirated software or video game cracks from YouTube videos.
This video appears to be instructing users on how to get free software or game upgrades. Still, links in the description lead to malware, and attackers either compromise legitimate accounts or create new ones just to distribute the malware.
This technique is concerning because it targets young users with games popular with children who are less likely to recognize malicious content, and more than 20 such accounts and videos have been identified. Reported to YouTube for removal.
Trustifi's advanced threat protection stops a wide range of advanced attacks before they reach users' mailboxes. Stops 99% of phishing attacks that other email security solutions miss. .
A verified YouTube channel discovered a history of Thai content that suddenly switched to posting English-language videos with malicious links.
The new video, likely promoted by legitimacy-seeking bots offering pirated software and character enhancements for popular video games, includes a password-protected video that when run deploys Vidar Stealer malware. It contained links to archives (such as “Setup_Pswrd_1234.rar”).
The fake comments further strengthened the legitimacy of the malicious content, which included instructions to bypass antivirus software, and highlighted the social engineering tactics employed by the attackers.
Proofpoint discovered a video promoting a fake Empress crack for League of Legends. Among them are instructions for downloading a RAR archive containing a malicious executable named “empress.exe” from a suspicious URL, as well as visual instructions to trick users and masquerade as a game crack. It contained a component that installed the Vidar Stealer malware. .
Malware details, including command and control activity
Malicious actors are distributing Vidar malware through YouTube videos that contain links to password-protected compressed executable files hosted on MediaFire.
Although the executable contains padding to evade antivirus scanners and appears larger than it actually is, Vidar obtains command and control instructions from social media accounts such as Telegram, Steam Community, and Tumblr. To do.
Accounts can be identified by a username that includes alphanumeric characters followed by an IP address, allowing Vidar to blend in with normal network traffic.
A malware distribution campaign targeted gamers as attackers compromised YouTube accounts and used video descriptions to distribute Discord server links.
The Discord server served a variety of game-specific malware disguised as cheats, and downloaded files such as “valoskin.zip” contained the Lumma Stealer malware. At the same time, this campaign exemplifies a broader trend of information theft distribution via YouTube.
Similarities in video content, delivery method, and target audience (other than corporate users) suggest a single actor or group of collaborators.
The indicators of compromise (IOCs) provided suggest recent Lumma and Vidar malware campaigns where Lumma files (spoofer.exe, bypasser.exe) were disguised as legitimate applications (VALORANT.exe).
Vidar used social engineering tactics using Steam profiles and Telegram channels as C2 servers. Both malware families have been active since February 2024, with new samples appearing in March.
Protect your email today! Find your ideal email security vendor by taking a free 30-second evaluation.
