Criminals are blackmailing YouTube creators into adding malicious crypto-mining malware to their videos, according to research from cybersecurity firm Kaspersky.
The hackers have been taking advantage of the growth in Russia of Windows Packet Divert drivers, which enable internet users to circumvent geographic restrictions.
Kaspersky’s systems have detected these drivers on 2.4 million devices over the past six months, with each successive month since September witnessing an increase in downloads.
The popularity of these drivers has led to a growth in YouTube videos on how to download and install them. But the criminals have even found a way to insert links to the SilentCryptoMiner malware into the descriptions of such videos.

Crypto-Stealing Malware Spread Through Fake GitHub Repositories, Kaspersky Warns
Hackers are targeting software developers by spreading malware through fake GitHub repositories, according to new research. A lot of code on the internet is open source, meaning anyone can use it. But Kaspersky's Securelist says there's been an uptick in cybercriminals uploading fake projects in an attempt to deceive victims. It warns the threat actors involved "went to great lengths to make the repositories appear legitimate to potential targets." In one case, a bogus project for a Telegram bot...
One increasingly common tactic is to submit a copyright strike against a video and then contact its creator, claiming to be the original developer of the driver it discusses.
According to Kaspersky, the criminals were able to reach one popular YouTuber with 60,000 subscribers, ultimately adding a malicious link to videos with over 400,000 views.
But instead of leading to a legitimate repository such as GitHub, the offending links took viewers to an infected archive, which has since racked up over 40,000 downloads.
Kaspersky estimates that, by threatening YouTube creators with copyright strikes and takedowns, the criminals responsible have been able to infect some 2,000 computers in Russia with crypto-mining malware.

Kaspersky Warns of Mac Exploit Targeting Bitcoin and Exodus Wallets
Apple users who are generally conditioned to ignore malware alerts that usually affect more open platforms should take note: there is a verified macOS exploit targeting the latest version of the operating system that can trick Bitcoin and Exodus wallet users into downloading a fake, malicious version of their software, cybersecurity firm Kaspersky reported. Clean living helps: the newly discovered malware, Kaspersky said, is distributed through pirated applications, and unlike other proxy trojan...
However, the security company suggests that the total could be significantly higher if it included other campaigns that have been launched in Telegram channels.
While crypto-mining malware has been around for several years now, Leonid Bezvershenko—a Security Researcher at Kaspersky’s Global Research and Analysis Team—says that pressuring creators with false copyright complaints is a more aggressive and unique tactic.
“While certain threats—like miners and info stealers—regularly leverage social platforms for distribution, this tactic of coercing influencers shows how cybercriminals are evolving,” he tells Decrypt. “By capitalizing on the trust between YouTubers and their audiences, attackers create large-scale infection opportunities.”
The mining malware used by the attackers, SilentCryptoMiner, is based on the well-known open-source miner XMRig, and is used to mine such tokens as Ethereum, Ethereum Classic, Monero, and Ravencoin.

Researchers Flag Crypto-Stealing Malware in Google and Apple Apps
Kaspersky researchers have detailed a cross‐platform malware campaign that targets cryptocurrency wallet recovery phrases through malicious mobile apps. According to a recent report, the “SparkCat” campaign uses a malicious software development kit (SDK) embedded in modified messaging apps and other applications to scan users’ image galleries for sensitive recovery data. This technique was first observed in March 2023. At the time, cybersecurity researchers observed malware features within messa...
It injects itself into a computer’s system procedures via process hollowing, and can be controlled remotely by its originators, who can stop mining whenever the original system procedure is active.
“In this specific campaign, most of the victims we identified are in Russia, and the malware itself was primarily available to Russian IP addresses,” confirms Bezvershenko, who nonetheless affirms that attackers often go wherever they see an opportunity.
This latest campaign comes at a time when crypto-mining viruses have become widespread as a form of malware, with the Center for Internet Security finding that CoinMiner was its second-most observed malware of 2024, behind drive-by downloader SocGholish.

MacOS Malware 'Cthulu Stealer' Is Draining Crypto Wallets—Here's How to Spot It
In a concerning development for macOS users and cryptocurrency holders, security researchers have identified a new malware-as-a-service (MaaS) named "Cthulhu Stealer." According to a recent Cado Security report, this malware specifically targets macOS systems, challenging the long-held belief that Apple's operating system is immune to such threats. While macOS has maintained a reputation for security, recent years have seen an uptick in malware targeting Apple's platform. Notable examples includ...
And in December of last year, cybersecurity researchers at ReversingLabs found that attackers are increasingly inserting crypto-mining malware in popular open source coding packages and tools, which can often attract hundreds of thousands of weekly downloads.
While it may be hard to avoid legitimate-yet-infected coding packages if you’re a developer, Kaspersky advises general web users to stay vigilant and verify the source of any download.
As Bezvershenko says, “If a YouTube creator or a guide asks you to disable your antivirus or claims a file is completely safe, treat it with caution and perform an additional security check.”
Edited by Stacy Elliott.