Cybercriminals Exploit YouTube Copyright Claims to Spread Malware and Cryptominers

Cybercriminals are exploiting YouTube’s copyright claim system to trick creators into promoting malware and cryptocurrency miners. They target YouTubers who share tutorials on Windows Packet Divert (WPD) tools, popular in Russia for bypassing internet censorship.

Posing as copyright holders, attackers file fake claims against these creators and then offer to resolve the issue if they add a specific download link in their videos. In other cases, they impersonate developers, asking creators to update links with a new “official” version. Fearing channel bans, many comply, unknowingly spreading trojanized WPD tools containing cryptominer downloaders.

One YouTube video promoting the malware reached over 400,000 views, with its link downloaded 40,000 times before removal. A Telegram channel with 340,000 subscribers also spread the malicious software. Kaspersky estimates at least 2,000 victims in Russia, though the true number may be higher.

Read Next: Checklist for Securing Your Digital Life

The malware uses a multi-stage infection process, including a Python-based loader, antivirus evasion techniques, and SilentCryptoMiner, which mines multiple cryptocurrencies while avoiding detection. Though this campaign mainly affects Russian users, similar tactics could spread more dangerous malware globally.

Users should avoid downloading software from YouTube links, especially from smaller channels, to prevent falling victim to such scams.