Overview
- Check Point mapped a long-running operation dating to 2021 that tripled its output in 2025 before the removals.
- Operators hijacked or created channels and split duties across video, post, and interact accounts to manufacture credibility through views, likes, and comments.
- Tutorial-style videos pushed cracked software or Roblox cheats, instructing users to disable antivirus and download password-protected archives from Dropbox, Google Drive, or MediaFire.
- Links often redirected through shorteners or Google Sites, Blogger, or Telegraph pages to deliver infostealers including Lumma, Rhadamanthys, StealC, RedLine, and Phemedrone.
- Google removed more than 3,000 videos after the report, yet examples drew hundreds of thousands of views, attribution remains unconfirmed, and operators rotate links and payloads to persist.