Proofpoint identified malicious actors distributing information stealers like Vidar, StealC, and Lumma Stealer on YouTube by promoting cracked video games and software. The actors leverage video descriptions containing links leading to malware downloads disguised as cracks or cheats. This activity primarily targets consumer users without enterprise-grade security, exploiting their interest in pirated content. Tactics involve using compromised YouTube accounts with large followings, creating temporary accounts for malware distribution, and impersonating popular cracking groups like Empress. The threat actors often provide instructions to disable antivirus software and use bloated executable files to evade detection. Command and control infrastructure leverages social platforms like Telegram, Steam, and Discord to blend in with regular network traffic.