In their effort to hide the command and control (C2) server addresses, operators of a banking trojan placed them in fake websites and in descriptions for YouTube videos. […]

from https://www.bleepingcomputer.com/news/security/windows-activator-bundles-banker-with-c2-in-youtube-description/