Threat actors are resorting to YouTube videos featuring content related to cracked software in order to entice users into downloading an information-stealing malware called Lumma. ""These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly,"" said Fortinet FortiGuard Labs researcher Cara Lin on Monday's analysis. In the latest attack sequence documented by Fortinet, users searching for cracked versions of legitimate video editing tools like Vegas Pro on YouTube are prompted to click on a link located in the video's description, leading to the download of a bogus installer hosted on MediaFire. Lumma Stealer, written in C and offered for sale on underground forums since late 2022, is capable of harvesting and exfiltrating sensitive data to an actor-controlled server.