Cybercriminals are targeting popular YouTube creators with fake copyright claims, forcing them to distribute cryptocurrency mining malware disguised as internet restriction bypass tools to thousands of viewers.
Kaspersky Global Research and Analysis Team (GReAT) researchers have uncovered a sophisticated malicious campaign where threat actors blackmail YouTube content creators into distributing malicious software. The attackers file two fraudulent copyright complaints against creators, then threaten a third strike – which would delete their YouTube channels. To avoid this, creators unknowingly promote malicious links, believing them legitimate to save their channels.
Kaspersky's telemetry confirmed over 2,000 end users infected with the malware after downloading the tool, though the actual number of affected users is likely much higher. One compromised YouTube channel with 60,000 subscribers published several videos containing malicious links that garnered more than 400,000 views. The infected archive hosted on a fraudulent website recorded over 40,000 downloads.
The malware, dubbed as SilentCryptoMiner, exploits the growing demand for internet restriction bypass tools. Kaspersky's telemetry shows a significant increase in the use of legitimate Windows Packet Divert drivers—a technology commonly used in bypass utilities—with detections rising from approximately 280,000 in August to nearly 500,000 in January, totaling more than 2.4 million detections over six months.
The attackers specifically targeted users seeking these bypass tools by modifying a legitimate Deep Packet Inspection (DPI) circumvention utility originally published on GitHub. Their malicious version maintains the original functionality to avoid suspicion, but secretly installs SilentCryptoMiner, which harvests computing resources to mine cryptocurrency without users' knowledge or consent, significantly degrading device performance and increasing electricity costs.
"This campaign demonstrates a concerning evolution in malware distribution tactics," said Leonid Bezvershenko, security researcher at Kaspersky’s GReAT. "While initially targeting Russian-speaking users, this approach could easily spread to other regions as internet fragmentation increases globally. The scheme effectively leverages trusted content creators as unwitting accomplices, which works in any market where users seek tools to circumvent online restrictions."
When security solutions detect and remove the malicious components, the modified installer encourages users to disable their antivirus protection with messages like "File not found, turn off all antiviruses and re-download the file, it will help!" — further compromising system security.
Kaspersky GReAT identified several indicators of compromise, including connections to domains like swapme[.]fun and canvas[.]pet, along with specific file hashes. The attackers demonstrate persistence, rapidly creating new distribution channels when previous ones are blocked.
To avoid falling victim to such threats, Kaspersky recommends:
- Never disable your security solution when prompted by installation files, as this is a common tactic to facilitate malware deployment.
- Pay attention to unusual device behavior, such as overheating, battery drain, or performance degradation, which may indicate miner activity.
- Use a reliable security solution such as Kaspersky Premium that can detect crypto-mining malware even when it attempts to hide its activity.
- Don’t forget to update your operating system and all software regularly. Many safety issues can be solved by installing updated versions of software.
- Verify the reputation of developers before installing new applications by checking independent reviews and researching their background.
For a detailed technical analysis of this threat, visit Securelist.com.
