YTStealer Harvesting YouTube Account Credentials

Originally published at:



Malware Intelligence


Stealer Malware


Media, Entertainment & Marketing



Executive Summary

  • YTStealer, information stealer targeting YouTube creators to steal authentication cookies.
  • Stolen data allows access and control over YouTube accounts.
  • Stolen cookies used for logging in without re-entering the credentials.
  • Access to the victim’s channel can be used to conduct malware or phishing campaigns.
  • Use antivirus or malware removal tools.
  • Use trusted sites to download software.
  • Do not rely on cracked versions.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil has identified an info stealer malware named YTStealer targeting YouTube creators and stealing authentication cookies.
  • The stealer enables an attacker to gain access to control, modify, and monetize the accounts.
  • YTStealer impersonates editing software, gaming cheats, or cracks software.
Categories of Impersonation
Software OBS Studio, Adobe Premiere Pro, FL Studio, Ableton Live, Antares
Gaming Creators Grand Theft Auto V, cheats for Counter-Strike Go and Call of Duty, Valorant game, or hacks for Roblox
Cracks Norton Security and Malwarebytes, Discord Nitro and Spotify Premium

Working of the YTStealer

  • YTStealer upon execution uses an open-source tool named Chacal to:
    • Run anti-sandbox checks
    • Detect if any malware is being analyzed in the sandbox
  • The malware then uses a tool named Rod to look for YouTube authentication cookies by using one of the installed browsers in headless mode.
  • The following data is collected:
    • YouTube authentication cookies
    • YouTube Channel Name
    • Monetization Status
    • Subscriber Information
    • YouTube Studio Status
  • The YTStealer is frequently dropped alongside other stealers, particularly the Redline and the Vidar Stealer.

Delivery Mechanism

  • YTStealer lures YouTube creators using applications such as Adobe Pro and Filmora.

Data Exfiltration

  • Stolen data is encrypted and sent to a C2 server associated with the domain name of youbot[.]solutions.
  • The domain was registered in 2021 and is associated with Youbots Solutions LLC, listed on Google Business, and registered in Mexico.


  • The stolen data along with Youtube credentials are sold on cybercrime forums.
  • The stolen authentication cookies can be used to gain access to YouTube channels or accounts to demand ransom from the owner.

Impact & Mitigation

Impact Mitigation
  • The stolen cookies of the user allow logging in by re-entering the credentials.
  • Access to the victim’s channel can be used to conduct malware or phishing campaigns.
  • The authentication tokens will bypass secured MFA and allow the actor to log into the user’s accounts.
  • Good antivirus or malware removal tool to detect and clean any infections.
  • Usage of trusted sites to download the software or application.

Indicators of Compromise (IoCs)

Based on the results from VirusTotal, the following are the IOCs for YTStealer.

IP Address



Open-source tool named Chacal


Open-source tool named Rod


YOUBOT listed on Google Business


YouTube credentials on sale

VirusTotal analysis