Cybercriminals are falsely claiming copyright ownership of Windows Packet Divert (WPD) tools to pressure YouTube creators into spreading malware and cryptocurrency miners.
These scammers file bogus copyright claims on videos featuring WPD tools and then contact creators, offering to withdraw the claims if they include a specific download link in their video descriptions.
Creators, fearing YouTube’s three-strike policy and potential channel bans, comply with the demand, unknowingly promoting malware-laced WPD tools hosted on GitHub.
Kaspersky reports that a video with over 400,000 views had a malicious link that reached 40,000 downloads before removal, and a Telegram channel with 340,000 subscribers also spread the malware.
The malware, delivered via a trojanized archive, uses a Python-based loader executed through PowerShell, with evasion techniques such as bloated file sizes, anti-sandbox checks, and disabling Microsoft Defender.
It ultimately installs SilentCryptoMiner, a modified XMRig miner that secretly mines multiple cryptocurrencies while avoiding detection by pausing activity when monitoring tools are active.
Although the campaign primarily targets Russian users, security experts warn that similar tactics could be expanded to distribute more dangerous malware, such as ransomware or info-stealers.
To stay safe, users should avoid downloading software from YouTube video links, especially from small or mid-sized channels that could be vulnerable to extortion.