Threat actors are disseminating malware through YouTube channels masquerading as sources for cracked and pirated video games, according to new findings from Proofpoint's Emerging Threats division.

Multiple YouTube channels have been identified as being used for malware distribution, with video descriptions containing links leading to the download of malicious payloads. The malware, which includes notorious variants such as Vidar, StealC, and Lumma Stealer, is designed to steal sensitive information from users' systems.

The attacks appear to target common users lacking enterprise-grade security measures on their personal computers, the company said.

The threat actors behind these campaigns employ a sophisticated modus operandi, involving compromised YouTube accounts, some of which were likely acquired from legitimate users. The hacked accounts are utilized to host videos promoting cracked software and game hacks. Additionally, the researchers observed the threat actors creating transitory accounts used solely for malware distribution.

“In one example, a video purported to contain a character enhancement for a popular video game with a MediaFire link in the description. The MediaFire URL led to a password-protected file (Setup_Pswrd_1234.rar) containing an executable (Setup.exe) that, if executed, downloaded and installed Vidar Stealer malware,” Proofpoint wrote in a technical analysis.

The threat research team said it has identified over two dozen accounts and videos disseminating malware. Indicators suggesting the account was compromised include suspicious behaviors, such as sudden shifts in content and language, significant gaps of time between the videos posted, and content that vastly differs from previously published videos.

The researchers have also uncovered an alternative method of payload distribution via Discord URLs embedded in video descriptions. Threat actors manage Discord servers tailored to specific games, offering users downloadable files along with installation instructions.

Proofpoint has not attributed the observed activity to any specific threat actor.

“The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections. Based on the similarities of the video content, payload delivery, and deception methods, Proofpoint assesses that the actors are consistently targeting non-enterprise users,” the researchers said, adding that they haven’t been able to determine how the accounts were compromised in the first place.