Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links in YouTube descriptions, comments, and even Google search listings. Victims who follow these links unwittingly install infostealing malware like Lumma or Vidar, endangering their credentials and cryptocurrency wallets. By leveraging trusted platforms and clever evasion tactics, the criminals make these attacks hard to spot.
New research from Trend Micro highlights how threat actors exploit the popularity of “free software install” videos on YouTube. These malicious channels claim to help viewers sidestep paywalls and licensing fees — but what looks like a convenient tutorial quickly turns into a trap. In the video descriptions or pinned comments, attackers paste links promising cracked software. Instead, a downloader hosted on reputable file-sharing sites like Mediafire or Mega.nz delivers infostealing malware hidden inside large, password-protected archives.
This same scheme has spilled over onto Google as well. When users search for pirated or cracked software, they might see shortened links in the search results that appear legitimate at first glance. One example cited by Trend Micro researchers pretends to be a link for Autodesk software. In reality, the user ends up with a booby-trapped download containing an infostealer designed to raid browser-stored passwords and crypto-wallet data.
What’s more, operators of this campaign have added multiple layers of evasion and anti-analysis to avoid detection. For instance, password-protected malware files can slip past automated scanning tools. The shortened links also protect the real download source from being prematurely flagged by security vendors. In combination with the trustworthiness of sites like YouTube, Google, and well-known hosting services, these tactics give criminals a potent cover.
The ultimate target is the end user, many of whom let their guard down in pursuit of “free” or “cracked” software. Once installed, infostealers such as Lumma and Vidar silently harvest whatever valuable data they can — from banking details to social media logins. For enterprises, the risk is even greater: an employee who falls for these scams could unintentionally open the door to corporate network compromise, credential dumping, or worse.
Security experts warn that organizations must stay vigilant. Trend Micro underscores the importance of layered defenses — blocking questionable downloads at the network level, rigorously monitoring endpoints for abnormal activity, and teaching employees about the perils of running pirated or otherwise “too good to be true” software. Ultimately, the best defense starts with awareness: if it isn’t from a trusted source, it probably isn’t worth the risk.
