Initial Infection Vector
The hacker initially breaches a YouTuber’s account and uploads videos masquerading as sharing cracked software. Figure 3 shows the video descriptions in which a malicious URL is embedded, enticing users to download a ZIP file that harbors malicious content for the next stage of the attack. The videos were uploaded earlier this year, but the files on the file-sharing site receive regular updates (Figure 4), and the number of downloads keeps growing. This indicates that the ZIP file is always new and that this method effectively spreads malware.
