Tag: gh0st rat

13 Attack Reports | 0 Vulnerabilities

Attack reports

RONINGLOADER: DragonBreath's New Path to PPL Abuse

Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation…
apt
gh0st rat
driver abuse
2025-11-19
ppl abuse
wdac
thread-pool injection
chinese edr evasion
roningloader
Published: November 19, 2025
Downloadable IOCs: 14

Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

This report details two interconnected malware campaigns targeting Chinese-speaking users in 2025, using large-scale brand impersonation to deliver Gh0st RAT variants. The first campaign, active from February to March, mimicked three brands across over 2,000 domains. The second campaign, starting i…
gh0st rat
dll side-loading
brand impersonation
chinese-speaking targets
multi-stage infection
cloud infrastructure
2025-11-15
domain generation
Published: November 15, 2025
Downloadable IOCs: 0

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Phantom Taurus, a newly identified Chinese state-sponsored threat actor, has been conducting espionage operations targeting government and telecommunications organizations across Africa, the Middle East, and Asia. The group's primary focus includes ministries of foreign affairs, embassies, and mili…
espionage
plugx
government
africa
gh0st rat
telecommunications
china chopper
middle east
chinese apt
asia
iis backdoor
2025-09-30
ntospy
specter
iiservercore
assemblyexecuter
net-star
database targeting
Published: September 30, 2025
Downloadable IOCs: 4

Gh0st RAT-based GodRAT attacks financial organizations

A newly identified Remote Access Trojan named GodRAT, based on the Gh0st RAT codebase, has been targeting financial firms since September 2024. The attackers distribute malicious .scr files via Skype, using steganography to embed shellcode in images. GodRAT supports plugins and is used alongside br…
steganography
asyncrat
gh0st rat
financial-sector
2025-08-19
skype
password-stealer
awesomepuppet
ms edge password stealer
godrat
chrome password stealer
Published: August 19, 2025
Downloadable IOCs: 0

Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea

A series of attacks targeting Korean Internet cafés have been identified, focusing on systems with specific management software installed. The threat actor, active since 2022, uses Gh0st RAT for system control and ultimately installs T-Rex CoinMiner for cryptocurrency mining. The initial access met…
gh0st rat
cryptocurrency mining
2025-06-04
phoenixminer
gpu mining
t-rex coinminer
Published: June 4, 2025
Downloadable IOCs: 9

Operation SalmonSlalom

A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as nativ…
dll sideloading
gh0st rat
moudoor
mydoor
2025-02-26
fatalrat
zegost
simayrat
Published: February 26, 2025
Downloadable IOCs: 160

Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations

A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named PNGPlug to deliver ValleyRAT payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer de…
espionage
gh0st rat
valleyrat
2025-01-20
pngplug
Published: January 20, 2025
Downloadable IOCs: 52

New Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

A command-and-control framework called Winos 4.0 is being distributed through gaming-related applications, targeting Chinese-speaking users. The malware, rebuilt from Gh0st RAT, uses a multi-stage infection process involving fake BMP files, DLLs, and shellcode. It can harvest system information, ca…
gh0st rat
cryptocurrency wallets
multi-stage infection
2024-11-06
command-and-control
winos 4.0
optimization apps
Published: November 6, 2024
Downloadable IOCs: 2

Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns

Sophos unveils a five-year investigation tracking China-based threat actors targeting perimeter devices, particularly Sophos firewalls. The report details multiple attack campaigns, including Asnarök, Bookmark Buffer Overflow, and Covert Channels, which exploited zero-day vulnerabilities to gain ac…
sliver
gh0st rat
backdoors
critical infrastructure
2024-10-31
rootkits
CVE-2020-29574
onderon
CVE-2020-15069
CVE-2022-1040
government agencies
perimeter devices
CVE-2020-12271
cloud snooper
libsophos.so
china-based threat actors
CVE-2022-3236
asnarök
zero-day vulnerabilities
asia-pacific targets
CVE-2022-1292
Published: October 31, 2024
Downloadable IOCs: 0

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The ma…
phishing
dll sideloading
gh0st rat
2024-09-05
toneshell
pif file
Published: September 5, 2024
Downloadable IOCs: 4

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Operation Specter: An Active Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia

An analysis reveals long-term espionage operations by a Chinese advanced persistent threat (APT) group against at least seven governmental entities across the Middle East, Africa and Asia since late 2022. The threat actor attempts to obtain sensitive and classified information about diplomatic and …
cyberespionage
2024-05-23
CVE-2021-34473
gh0st rat
moudoor
mydoor
tunnelspecter
email-exfiltration
sweetspecter
embassies
backdoors
CVE-2021-26855
geopolitics
Published: May 23, 2024
Linked vulnerabilities : CVE-2021-34473, CVE-2021-26855
Downloadable IOCs: 28
Click here to see more Attack Reports