A sophisticated malware distribution campaign leveraging over 3,000 malicious YouTube videos has been uncovered, targeting users seeking pirated software and game cheats.

The YouTube Ghost Network represents a coordinated ecosystem of compromised accounts that exploit platform features to distribute information-stealing malware while creating false trust through fabricated engagement.

Active since 2021, the network has dramatically escalated operations in 2025, with malicious video production tripling compared to previous years.

The campaign primarily focuses on two high-traffic categories: game modifications and cracked software applications.

The most viewed malicious video advertises Adobe Photoshop, accumulating 293,000 views and 54 comments, while another promoting FL Studio reached 147,000 views.

These videos direct victims to file-sharing platforms where password-protected archives containing malware await download. Common passwords include “1337” and “2025”, with instructions consistently advising users to disable Windows Defender before execution.

Check Point researchers identified the network’s operational structure, revealing three distinct account roles working in coordination.

Video-accounts upload deceptive content with download links embedded in descriptions or pinned comments.

Post-accounts maintain community messages containing external links and archive passwords, frequently updating them to evade detection.

Interact-accounts generate artificial legitimacy by posting encouraging comments and likes, manipulating victims into believing the software functions as advertised.

The distributed malware consists primarily of infostealers, with Lumma dominating until its disruption between March and May 2025.

Following this takedown, threat actors pivoted to Rhadamanthys as their preferred payload. The latest Rhadamanthys variant (v0.9.2) communicates with command-and-control servers including hxxps://94.74.164[.]157:8888/gateway/6xomjoww.1hj7n, exfiltrating credentials and sensitive user data.

Detection Evasion Through Technical Sophistication

The campaign employs multiple layers of evasion to bypass security measures and maintain persistence.

Attackers host files on legitimate platforms such as MediaFire, Dropbox, and Google Drive, exploiting user trust in these services.

Large archive files exceeding 189MB prevent automated virus scanning on Google Drive, while password protection blocks security solutions from analyzing contents.

Shortened URLs conceal true destinations, and phishing pages hosted on Google Sites further legitimize the operation.

The malware infrastructure demonstrates rapid adaptability, with actors updating payloads every three to four days and rotating command-and-control servers with each release.

MSI installer files exhibit low detection rates, with recent samples evading 57 of 63 security vendors on VirusTotal.

Campaign updates maintain timestamps indicating continuous operation, with recent variants compiled on September 21 and 24.

One analyzed archive contained HijackLoader as the initial payload, subsequently delivering Rhadamanthys with communication to hxxps://5.252.155[.]99/gateway/r2sh55wm.a56d3.

This short-lived build strategy prevents reputation-based blocking mechanisms from accumulating sufficient data to identify threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post YouTube Ghost Malware Network With 3,000+ Malicious Videos Attacking Users to Deploy Malware appeared first on Cyber Security News.

Cybersecurity researchers have uncovered a sophisticated ransomware campaign where Agenda group threat actors are deploying Linux-based ransomware binaries directly on Windows systems, targeting VMware virtualization infrastructure and backup environments.

This cross-platform execution technique challenges traditional security assumptions and demonstrates how ransomware operators are adapting to bypass endpoint detection systems that primarily focus on Windows-native threats.

The attack campaign leverages a novel deployment method combining legitimate remote management tools with advanced defense evasion tactics.

Attackers utilize WinSCP for secure file transfer and Splashtop Remote for executing Linux ransomware payloads on Windows machines, creating an unconventional attack vector that sidesteps conventional security controls.

The deployment of Linux binaries through remote management channels creates detection challenges for security solutions not configured to monitor cross-platform execution.

Initial access was established through sophisticated social engineering schemes involving fake CAPTCHA pages hosted on Cloudflare R2 infrastructure.

These convincing replicas of Google CAPTCHA verification prompts delivered information stealers to compromised endpoints, systematically harvesting authentication tokens, browser cookies, and stored credentials.

The stolen credentials provided threat actors with valid accounts necessary for initial environment access, enabling them to bypass multifactor authentication and move laterally using legitimate user sessions.

Trend Micro researchers identified that the attack chain demonstrated advanced techniques including Bring Your Own Vulnerable Driver (BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances across various system directories to obfuscate command-and-control traffic.

The attackers abused legitimate tools, specifically installing AnyDesk through ATERA Networks’ remote monitoring and management platform and ScreenConnect for command execution, while utilizing Splashtop for final ransomware execution.

They specifically targeted Veeam backup infrastructure using specialized credential extraction tools, systematically harvesting credentials from multiple backup databases to compromise disaster recovery capabilities before deploying the ransomware payload.

Since January 2025, Agenda has affected more than 700 victims across 62 countries, primarily targeting organizations in developed markets including the United States, France, Canada, and the United Kingdom.

The ransomware-as-a-service operation systematically targeted high-value sectors, particularly manufacturing, technology, financial services, and healthcare industries characterized by operational sensitivity, data criticality, and higher likelihood of ransom payment.

Cross-Platform Ransomware Execution Mechanism

The final ransomware deployment showcased unprecedented cross-platform execution capabilities.

The threat actors utilized WinSCP to securely transfer the Linux ransomware binary to Windows systems, placing the payload on the desktop with a .filepart extension before finalizing the transfer.

The execution method employed Splashtop Remote’s management service (SRManager.exe) to directly run the Linux ransomware binary on Windows platforms:-

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
└── C:\Users\<REDACTED>\Desktop\mmh_linux_x86-64

Analysis of the Linux ransomware binary revealed extensive configuration capabilities and platform-specific targeting.

The payload implemented comprehensive command-line parameters including debug mode, logging levels, path specifications, whitelist configurations, and encryption control parameters.

Execution required password authentication and displayed verbose configuration output including whitelisted processes, file extension blacklists, and path exclusions.

The configuration demonstrated extensive targeting of VMware ESXi paths such as /vmfs/, /dev/, and /lib64/ while excluding critical system directories, showcasing hypervisor-focused deployment strategies.

Earlier variants implemented operating system detection for FreeBSD, VMkernel (ESXi), and standard Linux distributions, enabling platform-specific encryption behavior.

Updated samples incorporated Nutanix AHV detection, expanding targeting to include hyperconverged infrastructure platforms and demonstrating the threat actors’ adaptation to modern enterprise virtualization environments beyond traditional VMware deployments.

This unconventional execution approach bypassed traditional Windows-focused security controls, as most endpoint detection systems are not configured to monitor or prevent Linux binaries being executed through legitimate remote management tools on Windows platforms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Agenda Ransomware Actors Deploying Linux RAT on Windows Systems Targeting VMware Deployments appeared first on Cyber Security News.

A sophisticated text message phishing campaign originating from China has emerged as one of the most extensive cybersecurity threats targeting users worldwide.

The operation, attributed to a threat collective known as the Smishing Triad, represents a massive escalation in SMS-based fraud, impersonating services across banking, healthcare, law enforcement, e-commerce, and government sectors.

What began as isolated incidents of toll violation notices has evolved into a coordinated global campaign affecting users in over 121 countries.

Palo Alto Networks analysts identified the campaign’s unprecedented scale through comprehensive threat intelligence gathering.

Their research uncovered 194,345 fully qualified domain names spanning 136,933 root domains registered since January 2024.

The attack infrastructure demonstrates remarkable sophistication, with threat actors registering and cycling through thousands of domains daily to evade detection mechanisms.

The majority of these domains flow through Dominet (HK) Limited, a Hong Kong-based registrar, while utilizing Chinese nameservers for DNS infrastructure.

However, the actual hosting infrastructure concentrates within U.S. cloud services, particularly within autonomous system AS13335 on the 104.21.0.0/16 subnet.

The campaign’s delivery mechanisms have undergone significant transformation. Early attacks employed email-to-SMS features through iMessage, but threat actors have recently transitioned to direct phone number-based delivery.

Messages predominantly originate from Philippine international codes (+63) and U.S. numbers (+1), creating an illusion of legitimacy.

The phishing messages themselves employ sophisticated social engineering tactics, incorporating targeted personal information and technical jargon to establish urgency and credibility.

Palo Alto Networks researchers noted that the operation functions as a comprehensive Phishing-as-a-Service ecosystem operating through Telegram channels.

Analysis of the Smishing Triad’s communication networks revealed a highly specialized supply chain with distinct roles.

Data brokers sell target phone numbers, domain sellers register disposable domains, and hosting providers maintain backend infrastructure.

Phishing kit developers create frontend interfaces and credential harvesting dashboards, while SMS spammers deliver messages at scale.

Supporting roles include liveness scanners verifying active phone numbers and blocklist scanners monitoring domain reputation to trigger rapid asset rotation.

Underground Infrastructure and Domain Lifecycle

The campaign’s infrastructure exhibits remarkable resilience through decentralization and rapid domain cycling.

Palo Alto Networks analysts observed that 29.19 percent of domains remain active for two days or less, with 71.3 percent lasting under one week.

Domain naming conventions typically follow hyphenated string patterns like gov-addpayment.info or com-posewxts.top, deliberately crafted to deceive casual inspection.

The Telegram chat records shows various underground service providers competing within the PhaaS ecosystem.

While the interconnected infrastructure reveals how 90 different root domains route through concentrated IP address clusters within Cloudflare’s network infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Text Message Based Phishing Attack from China Targeting Users Around the Globe appeared first on Cyber Security News.

A sophisticated malware operation has emerged from Brazil, leveraging advanced steganographic techniques to conceal malicious payloads within seemingly harmless image files.

The Caminho loader, active since at least March 2025, represents a growing threat to organizations across South America, Africa, and Eastern Europe, delivering diverse malware families including REMCOS RAT, XWorm, and Katz Stealer through an intricate multi-stage infection chain.

The campaign begins with carefully crafted spear-phishing emails containing compressed archives that house JavaScript or VBScript files.

These initial scripts use business-themed social engineering lures such as fake invoices and quotation requests to trick recipients into executing the malicious code.

Upon execution, the script retrieves an obfuscated PowerShell payload from Pastebin-style services, which then downloads steganographic images from archive.org, a legitimate non-profit digital archive platform.

The use of trusted platforms allows the malware to evade traditional security controls that rely on domain reputation and blocklists.

Arctic Wolf analysts identified the loader’s most notable innovation in its use of Least Significant Bit (LSB) steganography to extract concealed .NET assemblies from image files.

The PowerShell script searches for a specific BMP header signature within downloaded JPG or PNG files, then iterates through every pixel to extract RGB color channel values that encode the hidden binary data.

The first four bytes specify the payload length, followed by the Base64-encoded malicious assembly.

Analysis of 71 Caminho loader samples reveals consistent Portuguese-language code throughout, with variable names like “caminho” (path), “persitencia” (persistence), and “minutos” (minutes), strongly indicating Brazilian origins.

The extracted loader operates entirely in memory, implementing extensive anti-analysis checks including virtual machine detection, sandbox environment identification, and debugging tool recognition.

The malware validates payload architecture before injecting the final payload into legitimate Windows processes such as calc.exe, establishing persistence through scheduled tasks that re-execute the infection chain every minute.

This fileless execution approach defeats traditional file-based detection mechanisms and leaves minimal forensic artifacts on compromised systems.

Loader-as-a-Service Business Model

The operational patterns observed across multiple campaigns strongly suggest Caminho functions as a Loader-as-a-Service operation rather than a single threat actor’s tool.

The standardized invocation interface accepts arbitrary payload URLs as arguments, enabling multiple customers to deploy different malware families using the same delivery infrastructure.

Infrastructure analysis reveals the reuse of identical steganographic images across campaigns with varying final payloads, confirming the modular service architecture.

The diverse payload delivery includes REMCOS RAT deployed via bulletproof hosting command-and-control infrastructure on AS214943 Railnet LLC, XWorm delivered from malicious domains, and Katz Stealer credential-harvesting malware.

Confirmed victims span Brazil, South Africa, Ukraine, and Poland, with geographic expansion coinciding with the adoption of steganographic techniques in June 2025.

The campaign demonstrates operational maturity through continuous infrastructure rotation, obfuscation updates, and the abuse of legitimate services for malicious hosting.

Code snippet demonstrating the LSB extraction technique:-

$plectonephric = [Drawing.Bitmap]::FromStream($biological);
$muffin = New-Object Collections.Generic.List[Byte];
for ($tazias = 0; $tazias -lt $plectonephric.Height; $tazias++) {
    for ($lidger = 0; $lidger -lt $plectonephric.Width; $lidger++) {
        $elayle = $plectonephric.GetPixel($lidger, $tazias);
        $muffin. Add($elayle.R);
        $muffin. Add($elayle.G);
        $muffin. Add($elayle.B)
    }
};

Organizations should implement layered security controls including blocking JavaScript and VBScript files within archive attachments, deploying email sandboxing that executes scripts and follows network connections, monitoring PowerShell with encoded commands, and enabling memory scanning capabilities to detect in-memory payloads.

The extensive use of legitimate platforms like archive.org presents unique challenges for traditional perimeter defenses, as blanket blocking may impact legitimate business operations while selective URL blocking proves ineffective against the operators’ demonstrated infrastructure rotation capabilities.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Caminho Malware Loader Uses LSB Steganography and to Hide .NET Payloads Within Image Files appeared first on Cyber Security News.