YTStealer targets YouTube content creators

YTStealer targets YouTube content creators

Researchers are reporting the discovery of malware targeting YouTub content creators. The aim is to compromise accounts and then take over the victims’ channels completely.

The malware, dubbed YTStealer, has one game plan: Grabbing authentication cookies. A site gives you an authentication cookie when you log in, and your browser then uses it in place of a password until you log out. If somebody can steal the authentication cookie from your browser they can use it log into whatever website you’re using, as if they are you.

Armed with YouTube cookies, YTStealer plunders YouTube accounts, and their real owners have some customer support chats waiting in their immediate future.

Targeting interests

How do malware distributors reel in YouTube channel owners in the first place? Like so many of these scams, they promote a variety of bogus applications designed to lure victims. The rogue apps don’t just install YTStealer though, they also drop several other malicious files, depending on which installer is used. Vidar and RedLine may also be present.

Several popular (fake) versions of editing and design tools, which would naturally appeal to people in video circles, are on offer. Adobe Premiere Pro, HitFilm Express, and Filmora are some of the fake installers mentioned.

Games, too, are a popular revenue stream on YouTube with game streamers and reviewers galore. No surprise, then, that fake installers and cheats for titles like Call of Duty and Grand Theft Auto are along for the ride.

The final group of bogus files relate to imitation security products and supposed cracks for Discord Nitro and Spotify Premium.

System checks and balances

Once installed on a target machine, YTStealer performs some checks to see if its running inside of a virtual machine. This is to see if the malware is being analysed by security researchers. If detection takes place, files like YTStealer will typically terminate or become incredibly stubborn.

With this out of the way, YTStealer proceeds to harvest authentication cookies and fire up a browser in “headless” mode (a browser with no windows to look at). In other words: A silent, invisible browser. The victim is completely unaware of what’s happening. Swiped cookies are loaded into the phantom browser, which can now log in to YouTube as the victim.

The malware harvests the victim’s subscriber count, channel name, age of channel, verification status, and whether or not the channel is monetised. The data is collected, encrypted, and sent to the Command and Control (C2) server tied to the malware.

How to avoid malware aimed at Youtubers

  • Scammers will target your interests, and try to interest you in cheap / free copies of software related to the content you create. Is a stranger really going to give you free editing tools worth a few hundred dollars? Almost certainly not. “If it sounds too good to be true,” and all that.
  • Many of these files insist you turn off security protection prior to installing. Ask yourself why they’d want you to do this, and then make a sharp exit.
  • Are they directing you to a YouTube channel of their own for the download links? Check the comments. Are they disabled? Is every single comment positive, and posted from new / low quality accounts? There’s a reason for that…
  • Free cheat tools advertised on YouTube are not going to work. Bypassing anti-cheat protection in major video game titles is big business, and people pay to use these tools. Anything given away for free in this manner will do little beyond infect your system.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.