Technology
3,000+ YouTube videos deliver malware disguised as free software
NEWYou can now listen to Fox News articles!
YouTube is arguably the most popular and most visited platform for entertainment, education and tutorials. There’s a video for everything on YouTube, whether you want to learn how to cook, ride a bike or need help with work or school. But recent research by Check Point reveals a darker side: a sprawling malware distribution network quietly operating within the platform. Hackers are using compromised accounts, fake engagement and clever social engineering to spread information-stealing malware disguised in more than 3,000 software cracks and game hack videos.
Most victims begin by searching for free or cracked software, cheat tools or game hacks, which is the root of the infection chain. This curiosity for “free” software opens the door to the Ghost Network’s traps.
META ACCOUNT SUSPENSION SCAM HIDES FILEFIX MALWARE
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CyberGuy.com newsletter.
Cybercriminals are exploiting YouTube’s massive reach by disguising malware inside fake “how-to” and “free software” videos. (Kurt “CyberGuy” Knutsson)
All about YouTube’s ghost network
According to Check Point Research, the YouTube Ghost Network has been active since 2021, with activity surging threefold in 2025. It’s built around a simple but effective formula, which blends social manipulation with technical stealth. The network’s primary targets are people searching for “Game Hacks/Cheats” and “Software Cracks/Piracy.”
Researchers discovered that these videos often feature positive comments, likes and community posts from compromised or fake accounts. This coordinated engagement gives potential victims a false sense of safety.
The fake social proof and fabricated likes, comments and subscriber activity play a key psychological role. They trick viewers into believing the content is legitimate and widely trusted, allowing the operation to persist even when YouTube removes individual videos or channels. The network’s modular structure and constant replacement of banned accounts make takedowns only temporarily effective.
Once a user clicks the provided links, they’re usually taken to file-sharing services or phishing sites hosted on Google Sites, MediaFire, Dropbox or similar platforms. The linked files are often password-protected archives, making them harder for antivirus tools to scan. Victims are then asked to disable Windows Defender before installation, effectively disarming their own protection before running the malware.
Check Point found that the majority of these attacks deliver information-stealing malware such as Lumma Stealer, Rhadamanthys, StealC and RedLine. These programs harvest passwords, browser data and other sensitive information, sending it back to the attacker’s command and control servers.
What makes the network particularly resilient is its role-based structure. Each compromised YouTube account serves a function; some upload malicious videos, others post download links and a third group boosts credibility by commenting and liking content. When an account gets banned, it’s quickly replaced, allowing the operation to continue largely uninterrupted.
A single click on a malicious link can disable your defenses and install information-stealing malware in seconds. (Kurt “CyberGuy” Knutsson)
Inside the malicious campaigns
Two major campaigns stood out in Check Point’s investigation. The first involved the Rhadamanthys infostealer, spread through a compromised YouTube channel named @Sound_Writer, which had nearly 10,000 subscribers.
The attackers uploaded fake cryptocurrency-related videos and used phishing pages on Google Sites to distribute malicious archives. These pages instructed viewers to “turn off Windows Defender temporarily,” assuring them it was a false alert. The archives contained executable files that quietly installed the Rhadamanthys malware, which connected to multiple control servers to exfiltrate stolen data.
The second campaign, involving HijackLoader and Rhadamanthys, leveraged a much larger channel, @Afonesio1, with around 129,000 subscribers. Here, attackers uploaded videos offering cracked versions of Adobe Photoshop, Premiere Pro, and FL Studio.
MICROSOFT SOUNDS ALARM AS HACKERS TURN TEAMS PLATFORM INTO ‘REAL-WORLD DANGERS’ FOR USERS
One of these videos gained over 291,000 views and dozens of glowing comments claiming the software worked perfectly. The malware was hidden inside a password-protected archive linked through a community post. The installer used HijackLoader to drop the Rhadamanthys payload, which then connected to rotating control servers every few days to avoid detection.
Even if you never complete the installation, you can still be at risk. Simply visiting the phishing or file-hosting sites may expose you to malicious scripts or credential theft prompts disguised as “verification” steps. Clicking the wrong link can compromise login data before any software is even installed.
Strong passwords, two-factor authentication, and regular security scans are your best defense against YouTube’s Ghost Network. (Cyberguy.com)
7 steps you can take to stay safe from YouTube’s ghost network
The Ghost Network succeeds by exploiting curiosity and trust. It disguises malware as “free software” or “game hacks,” relying on users to click before thinking. Protecting yourself means adopting habits that make it harder for attackers to fool you. Here are seven steps to stay safe:
1) Avoid cracked software and cheat downloads
Most infections start with people trying to download pirated or modified programs. These files are often hosted on unregulated file-sharing websites where anyone can upload malicious content. Even if a YouTube video looks polished or filled with positive comments, that doesn’t mean it’s safe. Official software developers and gaming studios never distribute downloads through YouTube links or third-party sites.
Besides being dangerous, downloading cracked software also poses legal risks. Piracy violates copyright law and can lead to serious consequences, while giving cybercriminals a perfect delivery channel for malware.
2) Use a strong antivirus
Make sure you have a trusted antivirus solution installed and always running. Real-time protection can detect suspicious downloads and block harmful files before they do any damage. Schedule regular system scans and keep your antivirus updated so it can recognize the latest threats.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com
WHAT REALLY HAPPENS ON THE DARK WEB, AND HOW TO STAY SAFE
3) Never disable your antivirus or Windows Defender
If a tutorial or installer tells you to disable your security software, that’s a red flag. Malware creators use this trick to bypass detection. There’s no legitimate reason to turn off protection, even temporarily. The moment a file asks you to do so, delete it immediately.
4) Be cautious with YouTube links and download sources
Always inspect links before clicking. Hover over them to check the destination and avoid shortened or redirected URLs that hide their true target. Downloads hosted on unfamiliar domains or file-sharing sites should be treated as unsafe. If you need software, get it directly from the official website or trusted open-source communities.
5) Use a password manager and enable two-factor authentication (2FA)
Turning on 2FA for important accounts adds another layer of protection, ensuring that even if someone gets your password, they can’t access your account. Malware often aims to steal saved passwords and browser data. Storing credentials in a password manager keeps them encrypted and separate from your browser, making them harder to steal. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse.
Next, see if your email has been exposed in past breaches. Our #1 password manager (see CyberGuy.com) pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at CyberGuy.com
6) Keep your operating system and apps updated
Software updates don’t just bring new features, but they also fix security flaws that malware can exploit. Enable automatic updates for your system, browser, and commonly used applications. Staying up to date is one of the simplest ways to prevent infections.
7) Use a trusted data removal service
Even after securing your system, your personal information might already be circulating online from past breaches. A reliable data removal service can continuously scan and request deletion of your data from people-search and broker sites, making it harder for cybercriminals to exploit your exposed information.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting CyberGuy.com
Get a free scan to find out if your personal information is already out on the web: CyberGuy.com
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Kurt’s key takeaway
Cybercriminals have evolved beyond traditional phishing and email scams. By exploiting a platform built on trust and engagement, they have created a scalable, self-sustaining system for malware distribution. Frequent file updates, password-protected payloads, and shifting control servers make these campaigns difficult for both YouTube and security vendors to detect and shut down.
Do you think YouTube is doing enough to stop malware distribution on its platform? Let us know by writing to us at CyberGuy.com
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CyberGuy.com newsletter.
Copyright 2025 CyberGuy.com. All rights reserved.
YouTube is making some changes that might affect how you share videos from the mobile app. From the app, you can finally share videos from a specific timestamp, which will make it easier to point someone to a part of a video you might want them to see while you’re on your phone. However, this change will replace the Clips feature that lets you make a shareable clip from a video.
You’ll still be able to watch any Clips that you’ve already made. But moving forward, “the ability to set an end time or include a custom description when sharing will no longer be available,” YouTube says. The company notes that while clipping is “important way for creators to reach new audiences,” it says that “a number of third-party tools with advanced clipping features and authorized creator programs are now available to do this across different video platforms.”
The company originally introduced the Clips feature in 2021.
NEWYou can now listen to Fox News articles!
When you upload a photo to Facebook, you expect it to stay private unless you decide otherwise. That expectation just took a hit after a former employee of Meta was accused of accessing thousands of private images.
According to details confirmed by the company, the London-based employee allegedly created a program to bypass internal safeguards. Investigators say this may have allowed access to about 30,000 private Facebook images that were not meant to be viewed.
The individual is now under criminal investigation and is out on bail as authorities continue to review the case. Here’s how investigators say the access may have happened.
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com, trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
META SMART GLASSES PRIVACY CONCERNS GROW
A former Meta employee is accused of accessing thousands of private Facebook images, raising new concerns about how user data is protected. (Fabian Sommer/picture alliance via Getty Images)
How the Meta employee allegedly accessed private images
Authorities believe the employee may have written a script to get around Meta’s internal detection systems. In simple terms, the system that should flag unusual behavior may not have caught the activity right away. This detail matters because large tech platforms rely on monitoring tools to detect suspicious access patterns. When those checks are bypassed, it raises questions about how internal access is controlled.
The investigation is being handled by the cybercrime unit of the Metropolitan Police in London. At the same time, security experts often point out that insider threats are difficult to eliminate. Even strong systems can be tested when someone inside the company misuses access.
What Meta says about the employee investigation
Meta says it discovered the improper access more than a year ago and took action after identifying the issue.
“Protecting user data is our top priority,” a Meta spokesperson told CyberGuy. “After discovering improper access by an employee over a year ago, we immediately terminated the individual, notified users, referred the matter to law enforcement and enhanced our security measures. We are cooperating with the ongoing investigation.”
Legal risks in the Meta private images case
Data protection experts say cases like this often come down to both intent and safeguards. If an employee accesses personal data without authorization, that can lead to criminal charges under data protection and computer misuse laws. However, the company’s responsibility depends on the protections it had in place. If proper safeguards existed, the focus usually remains on the individual.
If not, regulators may consider penalties or legal claims against the company. The Information Commissioner’s Office, the U.K.’s data privacy watchdog, has acknowledged the incident. The agency stressed that social media users should be able to trust how their personal information is handled.
Why the Meta investigation is drawing attention now
This case is unfolding at a time when scrutiny of major tech platforms is already high. Recent legal challenges have raised broader concerns about how companies protect users and manage risk. That context adds weight to this investigation. It reflects a larger conversation about privacy and accountability in the tech industry. As more people rely on digital platforms, expectations of data protection continue to rise. Incidents like this tend to reinforce those concerns.
META REPORTEDLY BUILDING AN AI VERSION OF MARK ZUCKERBERG TO INTERACT WITH COMPANY EMPLOYEES
Mark Zuckerberg walks through the U.S. Capitol after a meeting on March 26, 2026. Investigators in London say a former Meta employee may have used a script to bypass safeguards and view about 30,000 private Facebook images. (Tom Williams/CQ-Roll Call, Inc via Getty Images)
Simple ways to protect your private photos
Even though this case involves an insider, there are still simple steps you can take to better protect your photos and limit who can see them.
1) Check your Facebook privacy settings
You cannot control what happens inside a company, but you can limit how much of your personal content is exposed. Start by reviewing your Facebook privacy settings.
(Settings may vary depending on device and app version)
Mobile (iPhone/Android):
Facebook: Menu > Settings & privacy > Settings > Audience and visibility > Posts > Who can see your future posts > select Friends (or a custom audience) > Save
Desktop (Mac/PC):
Facebook: Profile picture (top right) > Settings & privacy > Settings > Audience and visibility section > Posts > Who can see your future posts > select Friends (or a custom audience) > Done
2) Review older photos and albums
Next, go through older photos and albums. Many people forget that photos shared years ago may still be visible under outdated settings.
(Settings may vary depending on device and app version)
Mobile (iPhone/Android):
Facebook: Menu > Settings & privacy > Settings > Audience and visibility > Posts > Limit who can see past posts > Limit who can see past posts > Limit past posts > confirm
Desktop (Mac/PC):
Facebook: Profile picture > Settings & privacy > Settings > Audience and visibility section > Posts > Limit who can see past posts > Limit past posts > confirm
And check individual albums:
Mobile (iPhone/Android):
Facebook: Go to your profile > Photos > Albums > select an album > tap Edit (top right) > Who can see this? > choose who can see it > Done
Desktop (Mac/PC):
Facebook: click your name on the left > Photos > Albums > select an album > click the three dots > Edit album > choose who can see it > Done
Not all albums can be changed, and some system albums have limited privacy options.
3) Be careful what you upload
It also helps to limit what you upload in the first place. Sensitive images, documents or anything you would not want widely seen may be better kept off social platforms entirely.
META AI EDITS YOUR CAMERA ROLL FOR BETTER FACEBOOK POSTS
Authorities are investigating whether a former Meta employee improperly accessed private Facebook photos that users never intended to share. (Gabby Jones/Bloomberg via Getty Images)
4) Turn on account activity alerts and two-factor authentication
You can also enable alerts for unusual account activity. While this case involves an insider, account alerts still help you spot unauthorized access to your own profile. You can also turn on two-factor authentication (2FA) to add another layer of protection to your account.
How to turn on account activity alerts
(Settings may vary depending on device and app version)
Mobile (iPhone/Android):
Facebook: Menu > Settings & privacy > Settings > Accounts Center > Password and security > Security Checkup > review and complete recommended security steps
Desktop (Mac/PC):
Facebook: Profile picture (top right) > Settings & privacy > Settings > Accounts Center > Password and security > Security Checkup > review and complete recommended security steps
How to turn on two-factor authentication
(Settings may vary depending on device and app version)
Mobile (iPhone/Android):
Facebook: Menu > Settings & privacy > Settings > Password and security > Two-factor authentication > choose text message or authentication app > follow prompts
Desktop (Mac/PC):
Facebook: Profile picture > Settings & privacy > Settings > Password and security > Two-factor authentication > choose text message or authentication app > follow prompts
5) Check third-party app access
Take a few minutes to review which apps have access to your Facebook account. Third-party apps can sometimes hold more access than you expect.
(Settings may vary depending on device and app version)
Mobile (iPhone/Android):
Facebook: Menu > Settings & privacy > Settings > Apps and websites > Active > tap an app > Remove
Desktop (Mac/PC):
Facebook: Profile picture (top right) > Settings & privacy > Settings > Apps and websites > Active > click an app > Remove
If you don’t see any apps listed or options like “Active,” it likely means you don’t have any connected apps to review.
What this means to you
If you use Facebook or similar platforms, this situation highlights something many people overlook. Even with strong safeguards, insider access still exists. Employees often need certain permissions to keep systems running. That creates a level of trust between users and the company.
When that trust is broken, it can feel personal. At the same time, there are still steps you can take on your end. Reviewing your privacy settings, limiting what you share and enabling security features can reduce how much of your content is exposed. It also shows why detection and response matter.
In this case, Meta says it identified the issue, removed the employee and notified users. Those steps can limit damage, but they do not erase the concern. The bigger takeaway is that privacy depends on both technology and human behavior. Systems can reduce risk, but they cannot remove it completely.
Take my quiz: How safe is your online security?
Think your devices and data are truly protected? Take this quick quiz to see where your digital habits stand. From passwords to Wi-Fi settings, you’ll get a personalized breakdown of what you’re doing right and what needs improvement. Take my Quiz here: Cyberguy.com
Kurt’s key takeaways
This case is still under investigation, and no final legal outcome has been announced. Even so, it highlights a risk many people rarely think about. Most privacy conversations focus on hackers. This situation is different. It shows how access from inside a company can create its own set of risks. Meta says it acted quickly by removing the employee, notifying users and strengthening its systems. Those steps matter, but they also show how much trust users place in the platforms they use every day. The reality is simple. Once you upload something online, you are trusting more than just the technology behind it.
If someone inside a company can access private data, how much control do you really have over what you share online? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
Govee has announced an upgraded version of its hanging Curtain Lights Pro that can instead be used nearly anywhere you have access to an outlet or large battery. At $449.99, Govee’s new Lightwall is more than twice as expensive as the $199.99 Curtain Lights Pro, but comes with more LEDs in a denser array and a self-standing aluminum frame that can be assembled in 10 to 15 minutes without the need for any tools.
When hung from its stand the Lightwall measures 7.9 feet wide and 5.3 feet tall and features 1,536 color-changing LEDs spaced about 1.96 inches apart in a 48 x 32 grid. It’s water-resistant, and with the ability to refresh at up to 35fps the Lightwall almost sounds like it could be used as a personal backyard Jumbotron, but it’s not designed for watching TV or movies.
The Lightwall instead connects to Govee’s Home app where you can select from over 200 preset scenes and simple animations, choose from 10 different music modes that generate lighting patterns matched to beats, or synchronize its colors to other Govee lighting products to create a cohesive mood.
The app can also use AI to create custom animated GIFs from simple text prompts, or you can take matters into your own hands and create custom designs by sketching in the app with your finger and stacking up to 30 layers of doodles. The Lightwall is smart home compatible and supports Matter, too, so in addition to managing it through Govee’s app you can control it using voice commands through smart devices with Google Assistant or Amazon Alexa.
New video shows moments before attack involving Turning Point USA contributor at Minneapolis anti-ICE protest
Lawrence mayor’s address: Growth, safety and health focus
Pittsburgh preparing for busy weekend with Pirates game, Penguins playoff game
Augusta man missing for more than a week, family seeks answers
DC Navy Yard shooting: What happened in Washington? ‘Targeted attack’ feared as scary visuals emerge
Florida High School Football Rankings: Top 25 teams – Oct. 21
How old is Bo Nix? What to know about Oregon quarterback ahead of 2024 NFL Draft
Cleary's 21 help Le Moyne down Central Connecticut State 69-64 in OT
99th annual Pony Swim held in Virginia
Indiana Members Credit Union announced as new anchor tenant at Bottleworks District
Firefighters Likely Had Limited View of Approaching Plane in LaGuardia Crash
Tennessee governor signs nuclear family month resolution as critics push back on exclusions
Displaced Lebanese wary as ceasefire between Israel and Hezbollah begins
Retired Coast Guard officer with decades of public health experience is Trump’s pick to lead CDC | CNN
Video: A Look at the Plans for Trump’s ‘Triumphal Arch’
-
Ohio3 days ago‘Little Rascals’ star Bug Hall arrested in Ohio
-
Georgia1 week agoGeorgia House Special Runoff Election 2026 Live Results
-
Arkansas7 days agoArkansas TV meteorologist Melinda Mayo retires after nearly four decades on air
-
Austin, TX1 week agoABC Kite Fest Returns to Austin for Annual Celebration – Austin Today
-
Politics2 days agoDem fundraising giant in the hot seat as GOP lawmakers demand answers over dodged subpoena
-
Politics5 days agoTrump blasts Spanberger ahead of Virginia meetings, says state faces tax base exodus like New York, California
-
Health1 week agoWoman discovers missing nose ring traveled to her lungs, causing month-long cough
-
San Francisco, CA5 days agoPresident Trump terminates Presidio Trust