Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

Nov. 17, 2025, 9:53 a.m.

Description

This report details two interconnected malware campaigns targeting Chinese-speaking users in 2025, using large-scale brand impersonation to deliver Gh0st RAT variants. The first campaign, active from February to March, mimicked three brands across over 2,000 domains. The second campaign, starting in May, impersonated over 40 applications with more sophisticated infection chains. Both campaigns used cloud infrastructure for payload delivery and DLL side-loading for evasion. The adversary demonstrated an evolving operational playbook, advancing from simple droppers to complex multi-stage infections. The campaigns' infrastructure remained active for months, indicating a persistent and well-resourced threat actor focused on Chinese-speaking targets globally.

External References

https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/
https://otx.alienvault.com/pulse/6918168f887ca57be0147adb
Tags
gh0st rat
dll side-loading
brand impersonation
chinese-speaking targets
multi-stage infection
cloud infrastructure
2025-11-15
domain generation

Date

  • Created: Nov. 15, 2025, 5:58 a.m.
  • Published: Nov. 15, 2025, 5:58 a.m.
  • Modified: Nov. 17, 2025, 9:53 a.m.

Attack Patterns

  • Moudoor
  • Mydoor
  • gh0st RAT - S0032

Additional Informations

  • Technology
  • Media
  • Telecommunications
  • Government
  • China