The GachiLoader campaign represents a new wave of malware distribution that exploits compromised YouTube accounts to spread the Rhadamanthys infostealer. The core component, GachiLoader, is a heavily obfuscated Node.js-based loader that employs advanced anti-analysis techniques to evade detection by security tools. A key innovation is its use of a novel PE injection technique named Vectored Overloading, which allows the malware to inject payloads stealthily into legitimate processes, complicating forensic analysis and detection. GachiLoader disables Windows Defender and elevates privileges on infected Windows hosts, ensuring persistence and reducing the likelihood of removal. The campaign has been active since December 2024, affecting over 100 videos and 39 YouTube accounts, with a combined view count exceeding 220,000, indicating a significant potential reach. Researchers have developed an open-source Node.js API tracing tool to better analyze this malware, highlighting the complexity and novelty of the threat. The malware leverages multiple MITRE ATT&CK techniques including process injection (T1055), obfuscated files or information (T1027), disabling security tools (T1562.001), and privilege escalation (T1134). The campaign infrastructure includes multiple IP addresses and domains, some of which are linked to command and control servers. Although no CVEs or known exploits are currently associated, the campaign's sophistication and stealth capabilities make it a notable threat. The use of YouTube as a distribution vector leverages the platform's trust and popularity, increasing the likelihood of user interaction and infection. The campaign targets Windows environments, which remain prevalent in enterprise and consumer settings globally.

European organizations are at risk due to the widespread use of Windows operating systems and the popularity of YouTube as a platform for information and entertainment. The campaign's use of compromised YouTube accounts to distribute malware increases the likelihood of infection through social engineering and trusted channels. Once infected, organizations may suffer from data theft due to the infostealer payload, potentially exposing sensitive corporate and personal information. The malware's ability to disable Windows Defender and elevate privileges complicates detection and remediation, increasing dwell time and potential damage. Industries with high reliance on Windows endpoints and those with significant online presence or social media engagement are particularly vulnerable. The campaign's stealthy injection techniques and obfuscation hinder traditional endpoint detection, requiring advanced monitoring capabilities. The potential for lateral movement and privilege escalation could lead to broader network compromise. Additionally, the campaign's infrastructure includes IPs and domains located in or routing through European countries, suggesting regional targeting or transit. The reputational damage from compromised YouTube accounts and the spread of malware via trusted platforms may also impact European entities. Overall, the campaign poses a medium to high risk to confidentiality, integrity, and availability of affected systems within Europe.

European organizations should implement targeted detection strategies focusing on Node.js processes exhibiting unusual behavior, such as those performing PE injection or disabling security tools. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscated code and novel injection techniques like Vectored Overloading. Monitor for privilege escalation attempts and suspicious API calls indicative of malware activity. Restrict execution of unauthorized Node.js scripts and enforce application whitelisting policies. Regularly audit and monitor social media accounts, especially those with organizational ties, to detect compromise early. Educate users about the risks of interacting with suspicious YouTube content and encourage cautious behavior regarding downloads or links. Block known malicious IP addresses and domains associated with the campaign at network perimeter devices. Employ multi-factor authentication and strong password policies to reduce account compromise risk. Utilize threat intelligence feeds to update detection signatures and indicators of compromise promptly. Finally, maintain up-to-date backups and incident response plans tailored to malware infection scenarios involving infostealers and privilege escalation.