Researchers Discover Self-Propagating Malware Targeting YouTube Channels

September 16, 2022

Kaspersky researchers have identified a new malware bundle that uses victim’s YouTube channels to upload malicious tutorials to spread the malicious package.

After intensive investigation, the researchers found a RAR archive containing a collection of malware, in particular RedLine, a popular information stealer. A miner is also included in the RAR archive and uses the victim’s graphic card, as they are basically watching gaming videos on YouTube. The graphic cards are used by the attackers to mine cryptocurrency.

In addition, the self-propagating malware bundle includes a legitimate Nirsoft NirCmd utility called “nir.exe,” that hides all executables at startup, and does not create windows in the user interface or any icons in the taskbar, ensuring that everything is hidden from the victim.

The researchers also discovered three malicious executables in the RAR archive that perform the bundle’s self-propagation. The three malicious executables are “MakiseKurisu.exe,” “download.exe,” and “upload.exe.”

MakiseKurisu is a modified version of a widely used C# password stealer that is used solely to extract cookies from browsers and store them locally. The second executable file, “download.exe,” is used to download a video from YouTube that is a copy of the videos promoting the malicious bundle. “upload.exe” is used to upload the malware-promoting videos to YouTube, using the stolen cookies to log on to the victim’s YouTube account and spread the bundle through their channel.

The sources for this piece include an article in BleepingComputer.

Top Stories

Related Articles

June 9, 2026 Hackers exploited Meta’s AI-powered support chatbot to gain control of Instagram accounts, including several high-profile profiles. Meta more...

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers more...

May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure more...

May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and more...

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn