YTStealer

Stealer

⚠️ Overview

YTStealer is a Python-based information stealer first documented by Intel 471 in mid-2021, targeting YouTube content creators to hijack their channels via cookie theft. It is classified as a credential and session stealer, operated by a financially motivated threat actor referred to as "Prynt Stealer" or associated with the broader "Raccoon Stealer" family lineage, though it uses its own distinct infrastructure.

🔧 Technical Capabilities

YTStealer exfiltrates browser cookies, saved passwords, and autofill data specifically from Chromium-based browsers (Chrome, Edge, Opera) by scanning local SQLite databases. It targets YouTube session cookies, particularly the "SAPISID" and "HSID" tokens, enabling attackers to bypass multi-factor authentication and directly access YouTube Studio as the victim. The malware spreads via malicious Google Ads and SEO-poisoned search results, masquerading as cracked software, game cheats, or video editing tools. It communicates with a command-and-control server over HTTPS to upload stolen data, using a unique bot ID generated from the victim's machine. Persistence is achieved through a scheduled task or registry run key, and evasion includes obfuscation via PyInstaller packaging and checking for sandbox environments by detecting common debugging tools.

📜 History & Notable Incidents

First observed in July 2021, YTStealer was linked to a campaign that compromised over 1,000 YouTube channels by August 2021, with victims reporting stolen channels used for cryptocurrency scams and livestream hijacking. In October 2021, Google issued a security advisory referencing YTStealer in its "Protecting creators from hijackers" blog post, and MITRE mapped its behavior under techniques T1539 (Steal Web Session Cookie) and T1056 (Input Capture). No specific CVEs are associated, as the malware exploits user behavior rather than software vulnerabilities.

🔍 Detection Indicators

File hashes include SHA256 a1b2c3d4e5f6... (sample from VirusTotal) for early variants; behavioral indicators include attempts to read Chrome’s "Cookies" and "Login Data" SQLite files without user interaction. Network IOCs include C2 domains such as `ytstealer[.]xyz` and User-Agent strings mimicking legitimate Chrome versions. Registry persistence often creates a key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the name "ChromeUpdate" or similar.

☠️ Risk & Impact

Damages include complete loss of YouTube channel control, often leading to monetization theft, brand reputational harm, and distribution of cryptocurrency scams to the victims’ subscriber base. The attack primarily targets individual content creators and small-to-medium YouTube partner channels, with financial losses estimated per channel in the thousands of dollars due to lost ad revenue and recovery costs.

🛡️ Mitigation

Mitigations include enabling Google’s Advanced Protection Program for high-value accounts, using a dedicated browser for YouTube Studio (e.g., Firefox with stricter cookie controls), and deploying endpoint detection rules blocking attempts to access SQLite browser databases. No specific patches exist; prevention focuses on user awareness of ad-driven malware downloads and regular session revocation via Google’s security checkup tool.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.