Threat Advisories:
GachiLoader Deployed via the YouTube Ghost Network GhostPoster: A Multi-Stage Malware Campaign Hiding Inside Firefox Extensions CVE-2025-20393: Critical Cisco AsyncOS Zero-Day Actively Exploited SonicWall SMA Flaw Leads to Unauthenticated Root Access Fortinet Authentication Bug Sparks Rapid Exploitation Apple WebKit Zero-Days Exploited in the Wild SantaStealer: An Emerging MaaS Infostealer Ahead of Its 2025 Debut Phantom Stealer Hidden in Fake Bank Confirmations Google Chrome Zero-Day Exploited in ANGLE Graphics Engine BRICKSTORM Breaks In: China’s Quiet Grip on US Virtual Stack The Gogs Blind Spot: A Zero-Day Fueled Mass Compromise Echoes Over UDP: MuddyWater’s Covert Backdoor Strikes Microsoft December 2025 Patch Tuesday Roundup China-Linked Operators Breach Japanese Shipping Networks ShadyPanda’s Seven-Year Operation Built a Browser Extension Spy Empire React2Shell Flaw in React Server Components Under Active Attack ValleyRAT’s Stealthy Job-Lure Campaign Arkanix Stealer’s Fast-Evolving Design Driving Widespread Compromise Water Saci Campaign: Multi-Stage Malware Spreading via WhatsApp Web The Admin Shortcut: King Addons Flaw Under Fire
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

GachiLoader Deployed via the YouTube Ghost Network

Amber | Attack Report
Download PDF
GachiLoader Deployed via the YouTube Ghost Network

GachiLoader is a Node.js-based malware loader used to deliver the Rhadamanthys infostealer through a large-scale campaign that abuses compromised YouTube accounts in what researchers call the YouTube Ghost Network. The GachiLoader malware campaign highlights a growing trend toward unconventional malware development using Node.js and refined distribution methods, underscoring the increasing abuse of trusted platforms like YouTube for scalable malware delivery. First observed in 2021, the YouTube Ghost Network became active and expanded to 39 compromised YouTube accounts by December 2024, publishing over 100 malicious videos promoting fake game cheats and pirated software that collectively reached approximately 220,000 views. Between March and May 2025, the YouTube Ghost Network distributed Lumma infostealer through approximately 3,000 malicious videos before threat actors updated their infrastructure on September 23, 2025, replacing the original payload with GachiLoader malware. The GachiLoader campaign exploits user trust in YouTube platform visibility by luring victims through video descriptions containing links to password-protected archives hosted on file-sharing services, often accompanied by instructions to disable Windows Defender before execution. Once launched, GachiLoader malware profiles the host system, collecting operating system information and installed security products, then transmits reconnaissance data via POST requests to command-and-control infrastructure to evade sandbox environments and security analysis. GachiLoader delivers the Rhadamanthys infostealer payload either directly from command-and-control servers or through an embedded secondary component known as Kidkadi dropper. The GachiLoader malware reflects a broader shift toward unconventional technologies in malware development, with threat actors leveraging Node.js to complicate detection while employing a novel executable injection technique called “Vectored Overloading” that hides malicious executables inside legitimate DLLs and abuses Windows exception handling mechanisms.

Attack Details

GachiLoader Malware Campaign Abuses YouTube Ghost Network

GachiLoader is a newly identified, heavily obfuscated loader written in Node.js and designed to deploy multiple malicious payloads on compromised Windows systems. The primary role of GachiLoader in the observed campaign is the delivery of the Rhadamanthys infostealer. The GachiLoader malware is distributed through the YouTube Ghost Network, a large-scale malware delivery operation that hijacks legitimate YouTube accounts to reach victims at scale.

These compromised YouTube channels in the Ghost Network promote fake game cheats and pirated software, exploiting user trust and YouTube platform visibility. Victims of the GachiLoader campaign are lured through video descriptions containing links to password-protected archives hosted on common file-sharing services, often accompanied by instructions to disable Windows Defender before execution. This social engineering tactic reduces the likelihood of detection during the GachiLoader malware installation process.

Once launched, GachiLoader begins by profiling the host system. The malware collects information such as the operating system version and installed security products, then transmits this reconnaissance data via POST requests to the command-and-control infrastructure. This GachiLoader reconnaissance phase helps the malware evade sandbox environments and security analysis by identifying virtual machines and security tools before deploying subsequent payloads.

Rhadamanthys infostealer payload delivery varies by GachiLoader campaign. In one case, GachiLoader retrieves the next-stage payload directly from its command-and-control server through encrypted communications. In another variant, the Rhadamanthys payload is embedded within the GachiLoader itself and executed through a secondary component known as Kidkadi, which is dropped during runtime to maintain operational security and evade detection.

GachiLoader reflects a broader shift in malware development toward unconventional technologies. By leveraging Node.js for malware creation, threat actors complicate detection while expanding operational flexibility since Node.js is less commonly monitored than traditional malware development languages. Combined with the abuse of trusted platforms like YouTube through the Ghost Network and a novel executable injection technique referred to as “Vectored Overloading,” which hides a malicious executable inside a legitimate DLL and abuses Windows exception handling to quietly trigger execution, this GachiLoader campaign demonstrates a refined and deliberate approach to modern malware distribution that bypasses traditional security controls.

Recommendations

Protecting Against GachiLoader and YouTube Ghost Network Threats

Endpoint Hardening and Execution Control: Reduce exposure by limiting script and runtime abuse on Windows systems. Node.js should not be present or executable on endpoints unless there is a clear business requirement for the JavaScript runtime environment. Enforce application allowlisting to prevent unauthorized loaders like GachiLoader and secondary executables from running, particularly those launched from user-writable directories such as Downloads or Temp folders where GachiLoader malware typically executes.

Detection and Behavioral Monitoring: Implement behavioral detection for abnormal process activity, including Node.js instances performing system reconnaissance or initiating outbound network connections characteristic of GachiLoader malware. Monitor for suspicious artifacts such as randomly named .lock files in temporary directories, which may indicate execution control mechanisms used by loaders like GachiLoader to maintain persistence and coordinate malware deployment.

Network Visibility and Command and Control Detection: Inspect outbound traffic for unexpected POST requests to unfamiliar infrastructure originating from non-browser processes, which is characteristic of GachiLoader command-and-control communications. Early-stage beaconing used for host profiling and payload retrieval in the GachiLoader infection chain can often be detected through network monitoring and anomaly-based alerts before the Rhadamanthys infostealer is deployed.

MITRE ATT&CK TTPs

GachiLoader YouTube Ghost Network Campaign Tactics and Techniques

Initial Access:

  • T1566: Phishing – Social engineering through compromised YouTube channels
  • T1566.002: Spearphishing Link – Malicious links in YouTube video descriptions

Execution:

  • T1059: Command and Scripting Interpreter – Executing GachiLoader Node.js malware
  • T1059.007: JavaScript – Running Node.js-based GachiLoader loader
  • T1059.001: PowerShell – Potential use of PowerShell in infection chain

Persistence:

  • T1547: Boot or Logon Autostart Execution – Maintaining GachiLoader persistence on compromised systems

Privilege Escalation:

  • T1548: Abuse Elevation Control Mechanism – Bypassing security controls
  • T1548.002: Bypass User Account Control – Elevating GachiLoader privileges

Defense Evasion:

  • T1562: Impair Defenses – Instructing victims to disable Windows Defender
  • T1562.001: Disable or Modify Tools – Disabling security software before GachiLoader execution
  • T1497: Virtualization/Sandbox Evasion – GachiLoader system profiling to detect analysis environments
  • T1497.001: System Checks – Checking for virtual machines and security tools
  • T1055: Process Injection – Vectored Overloading technique
  • T1055.012: Process Hollowing – Injecting malicious code into legitimate processes
  • T1027: Obfuscated Files or Information – Heavily obfuscated GachiLoader code
  • T1027.002: Software Packing – Packing GachiLoader malware
  • T1140: Deobfuscate/Decode Files or Information – Decoding encrypted payloads
  • T1574: Hijack Execution Flow – Vectored Overloading DLL abuse
  • T1574.002: DLL Side-Loading – Hiding executables inside legitimate DLLs

Discovery:

  • T1082: System Information Discovery – GachiLoader profiling host systems
  • T1057: Process Discovery – Identifying security products and running processes

Collection:

  • T1005: Data from Local System – Rhadamanthys infostealer collecting credentials and data

Command and Control:

  • T1071: Application Layer Protocol – GachiLoader C2 communications
  • T1071.001: Web Protocols – Using HTTP/HTTPS for command and control
  • T1573: Encrypted Channel – Encrypted GachiLoader communications
  • T1573.002: Asymmetric Cryptography – Encrypted payload delivery

Exfiltration:

  • T1041: Exfiltration Over C2 Channel – Stealing data through GachiLoader infrastructure

References

GachiLoader Malware Campaign Information Sources

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox