Tag: gh0st rat

9 Attack Reports | 0 Vulnerabilities

Attack reports

Analysis of T-Rex CoinMiner Attacks Targeting Internet Cafés in Korea

A series of attacks targeting Korean Internet cafés have been identified, focusing on systems with specific management software installed. The threat actor, active since 2022, uses Gh0st RAT for system control and ultimately installs T-Rex CoinMiner for cryptocurrency mining. The initial access met…
gh0st rat
cryptocurrency mining
2025-06-04
phoenixminer
gpu mining
t-rex coinminer
Published: June 4, 2025
Downloadable IOCs: 9

Operation SalmonSlalom

A sophisticated cyberattack targeting industrial organizations in the Asia-Pacific region has been uncovered. The attackers utilized legitimate Chinese cloud services and a multi-stage payload delivery framework to evade detection. The campaign, named SalmonSlalom, employed techniques such as nativ…
dll sideloading
gh0st rat
moudoor
mydoor
2025-02-26
fatalrat
zegost
simayrat
Published: February 26, 2025
Downloadable IOCs: 160

Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations

A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named PNGPlug to deliver ValleyRAT payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer de…
espionage
gh0st rat
valleyrat
2025-01-20
pngplug
Published: January 20, 2025
Downloadable IOCs: 52

New Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

A command-and-control framework called Winos 4.0 is being distributed through gaming-related applications, targeting Chinese-speaking users. The malware, rebuilt from Gh0st RAT, uses a multi-stage infection process involving fake BMP files, DLLs, and shellcode. It can harvest system information, ca…
gh0st rat
cryptocurrency wallets
multi-stage infection
2024-11-06
command-and-control
winos 4.0
optimization apps
Published: November 6, 2024
Downloadable IOCs: 2

Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns

Sophos unveils a five-year investigation tracking China-based threat actors targeting perimeter devices, particularly Sophos firewalls. The report details multiple attack campaigns, including Asnarök, Bookmark Buffer Overflow, and Covert Channels, which exploited zero-day vulnerabilities to gain ac…
sliver
gh0st rat
backdoors
critical infrastructure
2024-10-31
rootkits
CVE-2020-29574
onderon
CVE-2020-15069
CVE-2022-1040
government agencies
perimeter devices
CVE-2020-12271
cloud snooper
libsophos.so
china-based threat actors
CVE-2022-3236
asnarök
zero-day vulnerabilities
asia-pacific targets
CVE-2022-1292
Published: October 31, 2024
Downloadable IOCs: 0

Toneshell Backdoor Used to Target Attendees of the IISS Defence Summit

A cyber espionage campaign using the ToneShell backdoor, associated with Mustang Panda, has been detected targeting attendees of the 2024 IISS Defence Summit in Prague. The attack utilizes a malicious PIF file masquerading as summit documents, which drops SFFWallpaperCore.exe and libemb.dll. The ma…
phishing
dll sideloading
gh0st rat
2024-09-05
toneshell
pif file
Published: September 5, 2024
Downloadable IOCs: 4

Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT

This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of…
malware
rat
evasion
encryption
dropper
gh0st rat
moudoor
mydoor
2024-07-31
Published: July 31, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 6

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Operation Specter: An Active Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia

An analysis reveals long-term espionage operations by a Chinese advanced persistent threat (APT) group against at least seven governmental entities across the Middle East, Africa and Asia since late 2022. The threat actor attempts to obtain sensitive and classified information about diplomatic and …
cyberespionage
2024-05-23
CVE-2021-34473
gh0st rat
moudoor
mydoor
tunnelspecter
email-exfiltration
sweetspecter
embassies
backdoors
CVE-2021-26855
geopolitics
Published: May 23, 2024
Linked vulnerabilities : CVE-2021-34473, CVE-2021-26855
Downloadable IOCs: 28
Click here to see more Attack Reports