Threat actors target home users with information-stealing malware like Vidar, StealC, and Lumma Stealer, which disguises the malware as pirated software and video game cracks in YouTube videos. 

The videos appear to instruct users on obtaining free software or game upgrades. Still, a link in the description leads to malware, where the attackers compromise legitimate accounts or create new ones specifically to distribute the malware. 

The method is concerning because it targets younger users with games popular among children, who are less likely to recognize malicious content, as over two dozen such accounts and videos have been identified and reported to YouTube for takedown. 

A verified YouTube channel had found a history of Thai content that abruptly switched to posting English videos with malicious links. 

The new videos, likely boosted by bots for legitimacy, offered pirated software and character enhancements for popular video games, whose descriptions contained links to password-protected archives (e.g., “Setup_Pswrd_1234.rar”) that deployed Vidar Stealer malware upon execution. 

Fake comments further bolstered the legitimacy of the malicious content, which included instructions to bypass antivirus software, highlighting the social engineering tactics employed by the attackers.  

Proofpoint found videos promoting fake Empress cracks for League of Legends, including instructions to download a RAR archive containing a malicious executable named “empress.exe” from a suspicious URL and used visual instructions to trick users into installing Vidar Stealer malware disguised as a game crack. 

Malware details with Command and Control Activity 

Malicious actors are distributing Vidar malware through YouTube videos containing links to password-protected, compressed executables hosted on MediaFire. 

The executables contain padding to bypass antivirus scanners and appear larger than they are, while Vidar retrieves its command and control instructions from social media accounts, including Telegram, Steam Community, and Tumblr. 

Accounts are identifiable by usernames containing alphanumeric characters followed by an IP address, which allows Vidar to blend in with regular network traffic. 

A malware distribution campaign targeted gamers as actors compromised YouTube accounts and used video descriptions to distribute Discord server links. 

The Discord server offered various game-specific malware disguised as cheats, in which downloaded files like “valoskin.zip” contained Lumma Stealer malware. At the same time, the campaign exemplifies a broader trend of information-stealing distribution via YouTube. 

Similarities in video content, delivery methods, and target audience (non-enterprise users) suggest a single actor or a group of collaborators. 

The provided indicators of compromise (IOCs) suggest a recent Lumma and Vidar malware campaign, where Lumma files (spoofer.exe, bypasser.exe) were disguised as legitimate applications (VALORANT.exe). 

Vidar used social engineering tactics, using a Steam profile and Telegram channel as C2 servers. Both malware families have been active since February 2024, and new samples appeared in March.  

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.