A sophisticated cybercrime campaign has been uncovered, targeting YouTube content creators through fraudulent copyright claims. Cybercriminals are coercing creators into distributing cryptocurrency mining malware disguised as tools to bypass Internet restrictions.
How the Blackmail Scheme Works
The attackers file two false copyright complaints against YouTube creators, exploiting the platform’s three-strike policy that can lead to channel termination. They then threaten a third strike, pressuring creators into unknowingly promoting malicious links under the false pretense of saving their accounts.
Many creators, desperate to retain their hard-earned audience and revenue, comply without realizing that the software they are sharing is embedded with malware. This has resulted in thousands of infections, with the potential to affect even more users.
SilentCryptoMiner: The Malware Behind the Scheme
The malware, identified as SilentCryptoMiner, takes advantage of the rising demand for Internet restriction bypass tools. Attackers disguise the malware within a modified version of a legitimate Deep Packet Inspection (DPI) circumvention tool originally hosted on GitHub.
While the tool appears to function normally, in the background, it secretly installs SilentCryptoMiner, which hijacks the victim’s system resources to mine cryptocurrency. This not only slows down affected devices but also leads to increased electricity consumption.
Scope of the Attack
- Over 2,000 confirmed infections, with actual numbers likely much higher.
- A single compromised YouTube channel with 60,000 subscribers spread malware through multiple videos.
- The malicious links attracted 400,000+ views.
- The fraudulent website hosting the infected archive recorded 40,000+ downloads.
- A surge in the use of Windows Packet Divert drivers, commonly used in bypass utilities, was detected—rising from 280,000 in August to 500,000 in January, totaling over 2.4 million detections in six months.
Why This Tactic Works
Unlike traditional malware campaigns, this attack exploits trusted influencers as unwitting participants. Viewers are more likely to download software recommended by their favorite YouTubers, making this an effective social engineering tactic.
"This campaign demonstrates a concerning evolution in malware distribution tactics," said Leonid Bezvershenko, security researcher at Kaspersky’s Global Research and Analysis Team (GReAT). "While initially targeting Russian-speaking users, this approach could easily spread to other regions as Internet fragmentation increases globally."
How the Malware Avoids Detection
Once installed, the malware deploys techniques to avoid security scans and removal:
- If a security solution detects and removes components, the modified installer displays deceptive messages like:
“File not found, turn off all antiviruses and re-download the file, it will help!” - The attackers frequently change distribution channels when previous ones are blocked.
- The malware maintains full miner functionality while appearing as a legitimate tool.
Indicators of Compromise
Kaspersky researchers identified several indicators linked to the malware, including:
- Connections to suspicious domains such as
swapme[.]funandcanvas[.]pet - Specific file hashes related to the infected installer
How to Stay Safe
To avoid falling victim to such attacks, experts recommend the following security practices:
- Never disable security software when prompted by an installer—this is a common malware tactic.
- Watch for unusual device behavior, including overheating, battery drain, or lagging performance, which can indicate cryptojacking.
- Use a reputable security solution that detects hidden mining activities.
- Keep software updated to patch vulnerabilities that malware may exploit.
- Verify software sources before downloading applications—check developer credibility and independent reviews.
For a detailed technical analysis, visit Securelist.com.
Discover more from Techish Kenya
Subscribe to get the latest posts sent to your email.
