Today I got a notification on my phone that YouTube had sent me a copyright report, claiming one of my videos violated copyright and my channel was going to receive a strike.
Except, my video didn't violate copyright. And YouTube didn't really send me a copyright report.
Except, my video didn't violate copyright. And YouTube didn't really send me a copyright report.
Turns out, pikkunovuriij[@]gmail[.]com sent me this fake copyright claim PDF. It was easily recognizable as bogus (especially since that video is me just recording my screen showing how to install a free Linux distribution in a virtual machine), but, thanks for the fun.
The PDF tries to lure an unknowing victim with some hokey threats of getting a creator's YouTube channel suspended, and urges you to "read the full report", which is a sketchy link with your email as an HTTP GET parameter. The domain is apparently new.
Poking at it through Tor or curl or anything other than a "modern browser" didn't seem to do anything, so it was likely checking user agents, but through Firefox or Chrome it would redirect to a different "download" subdomain which would redirect to a Dropbox download.
That kickstarted a download for the alleged "YouTube Copyright Report[.]zip", which, after extracting, had a cheeky "CopyrightReport.docx.scr" 🤡 It wasn't a Windows screensaver file, though, but an executable PE file. VirusTotal tracked about 10 engines that triggered it as bad.
![That kickstarted a download for the alleged "YouTube Copyright Report[.]zip", which, after extractin...](https://pbs.twimg.com/media/FbS9qAoWAAEyD8z.png)
![That kickstarted a download for the alleged "YouTube Copyright Report[.]zip", which, after extractin...](https://pbs.twimg.com/media/FbS-RiMXEAQuKNc.jpg)
It included a silly Microsoft Word icon to keep up the charade. Defender did not remove the file on disk in a Windows 11 VM, and did not stop it from executing, but SmartScreen stepped up to at least warn "yo this is wack dude"
Just some cursory surfing through ProcMon, it looked like it would enumerate for device info, check if AV was running, blah blah blah -- and then it tried really REALLY hard to call home to 65.21.195[.]97:20775 (Finland IP?). I had network devices removed from the sandbox.
I would really love if you wouldn't mind sharing this with a retweet or quote, if just so other creators can see what tricks and scams might be out there these days. 🙏
As others have pointed out, this is an example of Redline Stealer malware. This is EXTREMELY COMMON for creators, used with ploys and deceptions to try and retrieve credentials and access. The threat to have a channel suspended can be terrifying for most and often seals the deal.
Video form:
Loading suggestions...