Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT

April 20, 2026, 10:52 a.m.

Description

A sophisticated malware campaign is distributing both Gh0st Remote Access Trojan and CloverPlus adware simultaneously through obfuscated loaders. The loader drops encrypted payloads from its resource section, with one being adware and another a Gh0st RAT DLL module executed via rundll32.exe. The RAT employs multiple persistence mechanisms including registry run keys, Windows services, and Remote Access service manipulation. It features capabilities for token manipulation, DNS hijacking, keylogging targeting RDP sessions, system reconnaissance, and dead drop resolver techniques for C2 communication. The malware specifically targets security tools by blocking antivirus domains through DNS spoofing and hosts file modification. This dual-payload approach provides attackers with long-term system access while generating immediate profit through adware monetization.

External References

https://www.splunk.com/en_us/blog/security/detecting-ghost-rat-cloverplus-adware-loader-analysis.html
https://otx.alienvault.com/pulse/69e2bfe25244c3e0bc4404f9
Tags
gh0st rat
keylogging
remote access trojan
dns hijacking
2026-04-17
adware bundle
cloverplus
dead drop resolver
registry persistence

Date

  • Created: April 17, 2026, 11:18 p.m.
  • Published: April 17, 2026, 11:18 p.m.
  • Modified: April 20, 2026, 10:52 a.m.

Indicators

  • fda9864b1aa230b60d0c736559415ac9c79e240cce411daed5da2facb9ced87c
  • ebba8f4342b65faccdd2a48be9f2654d3fa523360f17ff68d5498a453f76c205
Download all indicators here!

Attack Patterns

  • CloverPlus
  • Mydoor
  • gh0st RAT - S0032

Linked vulnerabilities

CVE-2023-27350

None
Published: