A new report from cybersecurity firm ESET has uncovered that the operators behind the Stantinko botnet have been using YouTube pages and channels to install crypto-jacking malware on visitors' computers.

The Stantinko botnet, initially discovered in 2017 (though has been operating “covertly” since 2012), has reportedly infected more than half-a-million devices around the world, and targets users primarily in Russia, Kazakhstan, Belarus, and the Ukraine. According to ESET, the operators of the botnet are now using YouTube to distribute a crypto-mining module that mines the privacy coin Monero.

The tactics used by the botnet are similar to previous cryptojacking attacks. In short, cryptojacking involves malware being installed on an unsuspecting person’s computer or device without their knowledge so that a hacker can mine cryptocurrency remotely. In doing so, the hacker can turn a profit by using the victim's processing power, instead of his or her own.


What has made the Stantinko botnet so difficult to deal with, according to ESET’s report, is that each instance of the crypto-mining module that it installs is different. “Due to the use of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this module for each new victim, each sample of the module is unique,” the report states.

ESET said that it has been in contact with YouTube regarding the botnet, and that the video streaming has since taken down the affected pages.

But with the Stantinko botnet constantly on the move, and looking for ways to “expand the ways they leverage the botnet they control,” according to ESET researchers, how long before it's back for more?

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.