The malware is highly likely available as a service on the Dark Web. Upon executing the malware, it performs some environment checks to avoid being executed in a sandbox. YTStealer borrows the code that performs the checks comes from an open-source project hosted on GitHub called Chacal.
“If YTStealer finds authentication cookies for YouTube, it does something interesting though. To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store.” reads the post published by Intezer. “By starting the web browser in headless mode, the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything. To control the browser, the malware uses a library called Rod. Rod provides a high-level interface to control browsers over the DevTools Protocol and markets itself as a tool for web automation and scraping.”