Proofpoint has warned home computer users not to fall for a new campaign designed to trick them into clicking on malicious links in YouTube video descriptions.
The security vendor detected infostealer malware including Vidar, StealC and Lumma Stealer delivered via the platform. It was disguised as pirated software and video game cracks and delivered alongside legitimate-looking content.
“The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware,” Proofpoint explained.
“Many of the accounts that are hosting malicious videos appear to be compromised or otherwise acquired from legitimate users, but researchers have also observed likely actor-created and controlled accounts that are active for only a few hours, created exclusively to deliver malware.”
Read more on YouTube threats: Infostealers Spread Via AI-Generated YouTube Videos
The vendor notified YouTube of over two dozen accounts and videos designed to distribute malware in this way, which the video platform giant subsequently removed.
Many of the games used as lures were deliberately chosen because they are popular among children, Proofpoint said, indicating that the threat actors are trying to trick those less likely to follow online safety best practices.
It’s possible that they also used automated bots to inflate the number of views for these videos, making them seem more legitimate.
MediaFire and Discord links were commonly used to connect victims to the infostealer malware, Proofpoint added.
The campaign features “multiple distinct activity clusters” and Proofpoint could not track the activity to a specific single threat group.
“The techniques used are similar, however, including the use of video descriptions to host URLs leading to malicious payloads and providing instructions on disabling antivirus, and using similar file sizes with bloating to attempt to bypass detections,” it concluded.
“Based on the similarities of the video content, payload delivery, and deception methods, Proofpoint assesses that the actors are consistently targeting non-enterprise users.”
Image credit: Chubo - my masterpiece / Shutterstock.com