A concerning rise in cyber threats has emerged as “Ghost Networks” proliferate across the internet, particularly on platforms like YouTube. That network has hit the ground running since 2021. It hijacks compromised social media accounts to spread more than 3,000 malicious videos, preying on unsuspecting users who are simply searching for pirated software and game cheats. The amount of these harmful uploads has increased three times since the start of the year, causing concern among cybersecurity professionals.
Ghost Networks have gained notoriety for their ability to enhance the perceived legitimacy of shared links, making them appear credible to potential victims. These networks flourish due to their distinctive role-based topology. Despite having account bans or removals enforced by platform owners, they persist and even flourish. This flexibility and ability to dynamically change has made Ghost Networks one of the most daunting adversaries for cybersecurity protections.
The Mechanics of Ghost Networks
Ghost Networks also work by taking advantage of hacked accounts. They take over real videos and people’s legitimate content, in an effort to infect viewers with stealer malware. These videos are primarily aimed at pirated software and Roblox game cheats. They prey on users who are unable to navigate the complex and often unseen pitfalls behind what seems like innocuous content.
Her videos received a lot of attention, with some of them well over 147,000 – 293,000 views. This degree of interactivity can increase the trust visitors have in the material, making it even easier to spread malware. It’s the way this operation is able to manipulate trust signals that’s worth noting, according to Eli Smadja, manager of a Check Point security research group.
“This operation took advantage of trust signals, including views, likes, and comments, to make malicious content seem safe,” – Eli Smadja
As experts have noted, a big part of the network’s success can be attributed to its smart malware distribution strategy. The Ghost Networks appear to work as a sort of collective, with other threat actors funneling malware through the compromised accounts. The purpose and scope of these operations is still not known. This leads to a follow-up question, whether there are so many actors or just one pulling the strings of the whole campaign.
A Growing Threat Landscape
The increasing prevalence of Ghost Networks reflects a broader trend in cybercrime where attackers repurpose legitimate platforms for malicious purposes. Cybersecurity company Check Point has tracked this disturbing evolution in tactics. They point out that our adversaries are moving toward more complex, platform-based approaches.
“The ongoing evolution of malware distribution methods demonstrates the remarkable adaptability and resourcefulness of threat actors in bypassing conventional security defenses,” – Check Point
Ghost Networks are a telling indicator of changing trends in the cybercriminal underbelly. Today, they’re able to take advantage of proven distribution channels such as YouTube to connect with a wider audience. The ramifications are dire as these networks collectively grow, users will soon become more susceptible than ever to being infected by debilitating malware.
Unanswered Questions and Future Implications
As the investigation into Ghost Networks goes deeper, important questions are left open. Experts have yet to figure out whether all of the videos and hijacked accounts are the work of a single threat actor. Or perhaps they’re included with a shared distribution-as-a-service (DaaS) model used by multiple operators.
“We have no clear evidence that there is a single threat actor — there could be multiple actors who have adopted this method of operation,” – Check Point
Additionally, while the videos share similar descriptions and formats, it is plausible that additional threat actors could have been inspired by or copied the original operator’s methods.
“Although all of the videos share similar descriptions and formats, if there are additional threat actors involved, they may have ‘copied’ or been inspired by the original operator’s modus operandi,” – Check Point
As cybersecurity experts continue to fight against this booming trend, they highlight the need for the users to remain UAWA, unlike any other threat. Identifying the red flags of future malware snares and taking extra care when interacting with the web is impactful in avoiding these threats.