YouTube comments are a new way to spread malware

Password-stealing malware was noticed spreading in YouTube comments

Data-stealing malware spreads on YouTube

A popular video sharing and streaming platform YouTube became attractive for malware developers. A new malicious program called Trojan.PWS.Stealer.23012[1] has been noticed spreading in network’s comment section few months after cryptocurrency miner was detected on YouTube ads.[2]

The main purpose of the trojan horse is to steal sensitive information stored in the web browser, such as email, social media, and other account credentials. Additionally, malware can take screenshots of the device when a victim uses a computer.

Another feature of the data-stealing trojan horse is that it is capable of copying files that are saved on the affected computer’s desktop. It targets the following file types:

.txt, .pdf, .jpg, .png, .xls, .doc, .docx, .sqlite, .db, .sqlite3, .bak, .sql, .xml.

Malware adds stolen credentials and files in archive, saves in a newly created directory called C:/PG148892HQ8, and then sends to the remote Command and Control (C&C) server.

There’s no doubt that collection of such information can lead to privacy-related issues or even identity theft. Hence, it’s better not rush clicking links in comments and video descriptions,[3] especially if they are related to doubtful or illegal activities.

Trojan.PWS.Stealer.23012 was targeted at gamers mostly

Russian researchers spotted a malicious link in YouTube comments section and video descriptions. The malware was noticed near the videos explaining how to cheat or hack specific games with the help of third-party apps.

Criminals tricked gamers that the link redirects to a download site where they can get specific tools necessary for cheating in games. However, the obfuscated links redirect to Russian cloud service’s Yandex Disk servers where another lie and manipulation was presented to potential victims.

Hacker’s site included videos and user comments that prove that the program or file is absolutely legitimate and works properly. Of course, they are all fake and created by criminals just to create a sense of credibility and trick people into downloading a self-unpacking RAR file.

After execution, Trojan.PWS.Stealer.23012 malware steals credentials from Google Chrome, Opera, Vivaldi and many other web browsers, as well as files from the Desktop, and sends them to a remote server.

According to recent reports, Google already removed the malicious content from YouTube.

Creators of malware took advantage of YouTube the second time this year

The appearance of Trojan.PWS.Stealer.23012 virus is not the first time this year when malware was detected on the world’s largest video-sharing service. In January, YouTube visitor had a chance to encounter cryptocurrency miner.

This version of YouTube virus[4] was noticed at the end of January when Italian web developers noticed suspicious activity on his computer. He discovered an unusually high CPU usage when browsing through Youtube. The analysis showed that the problem was malicious YouTube ads. They included CoinHive JavaScript code that was used for mining Monero cryptocurrency.

Google needed more than a week to remove all malicious ads[5] that were targeting users in Italy, France, Spain, Japan, and Taiwan.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions