gh0st RAT

Malware updated a month ago (2024-10-17T13:01:05.868Z)

Download STIX

Preview STIX

Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation Diplomatic Specter, along with the Specter malware family. In this operation, several Gh0st RAT variants were identified, including Win32/Farfli.BLH, Win32/Farfli.BUR, and Win32/Farfli.CUO, found in different Windows clusters. The Akamai Security Intelligence Response Team (SIRT) warned about multiple threat actors using Gh0st RAT to exploit PHP vulnerability C. The malware has been used by various unidentified groups to spy on targets globally, including South Korea and the Ministry of Foreign Affairs in Uzbekistan. A modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," was used in these instances. However, while there are similarities between Gh0st RAT and other malwares like Win.NOODLERAT, such as the use of the same plugins and similar packet encryption algorithms, the backdoor itself is significantly different, leading researchers to conclude that only the plugins were reused. Gh0st RAT's code was initially developed by the C. Rufus Security Team in China and leaked in 2008. Since then, it has been linked to several campaigns and malware strains. For instance, Sophos reported on a Linux version of the Gh0st RAT variant used in the Cloud Snooper Campaign in 2018. Similarly, NCC Group reported on a variant of Gh0st RAT used by Iron Tiger in 2018. Despite its links to other malwares, Gh0st RAT is considered a distinct strain. In-depth analysis of Noodle RAT, another malware, revealed overlaps with Gh0st RAT and suggested that it is likely shared among Chinese-speaking groups.

Description last updated: 2024-10-17T12:46:36.037Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Gh0st is a possible alias for gh0st RAT. Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware co	5
Gh0stcringe is a possible alias for gh0st RAT. Gh0stCringe is a variant of Gh0st RAT, a notorious malware that has been used in numerous cyber attacks. This malicious software is designed to exploit and damage computers or devices by infiltrating the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once in	4
Sugargh0st is a possible alias for gh0st RAT. SugarGh0st is a malicious software (malware) variant first identified by Cisco Talos in November of the previous year. The malware, believed to be connected to China, has been deployed in cyberespionage campaigns primarily targeting the Ministry of Foreign Affairs in Uzbekistan and users in South Ko	3
win32/farfli.cuo is a possible alias for gh0st RAT. Win32/Farfli.CUO is a highly malicious software, also known as malware, that has been specifically designed to exploit and damage computer systems. This particular strain of malware can infiltrate systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst t	2
Sainbox is a possible alias for gh0st RAT. Sainbox, also known as FatalRAT, is a variant of the Gh0st RAT trojan malware that has been increasingly deployed in cybercrime activities, particularly those associated with suspected Chinese cybercrime operations. Proofpoint researchers have observed over 30 separate campaigns leveraging this malw	2
Fatalrat is a possible alias for gh0st RAT. FatalRAT, also known as Sainbox, is a variant of the Gh0st RAT malware that targets Windows platforms. Initially identified by Proofpoint in 2020, it has become popular with the PurpleFox threat actor group. Once infiltrated into a system, FatalRAT can log keystrokes and download and install additio	2
Sugargh0st Rat is a possible alias for gh0st RAT. SugarGh0st RAT is a relatively new variant of the Gh0st RAT malware, first identified by researchers at Cisco Talos in November 2023. This Remote Access Trojan (RAT) has been used to carry out cyberespionage and surveillance campaigns against various targets, including government officials in Uzbeki	2
win.noodlerat is a possible alias for gh0st RAT. Win.NOODLERAT is a malware variant that functions as a backdoor into infected systems, allowing unauthorized access and control. It is part of the Noodle RAT family, which has two versions: one for Windows (Win.NOODLERAT) and another for Linux (Linux.NOODLERAT). This malicious software infiltrates s	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Windows

Backdoor

Chinese

Encryption

Vulnerability

Apt

Trojan

Exploit

Phishing

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Noodle RAT Malware is associated with gh0st RAT. Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a new strain of malware that has been active since at least 2018. This malicious software, used by Chinese-speaking groups for espionage or cybercrime, was introduced in a Botconf 2024 presentation by Trend Micro Research. The Windows version of N	Unspecified	2
The malware win32/farfli.bur Gh0st Rat is associated with gh0st RAT.	Unspecified	2
The win32/farfli.cuo Gh0st Rat Malware is associated with gh0st RAT. The Win32/Farfli.CUO Gh0st RAT is a significant vulnerability that poses a threat to the security of Windows systems. It represents a flaw in software, design, or implementation that allows unauthorized access and control over affected systems. This variant of the Gh0st RAT (Remote Access Trojan) ha	Unspecified	2
The Mirai Malware is associated with gh0st RAT. Mirai, a malware that targets Internet of Things (IoT) devices, was responsible for over 7 million botnet detections in early 2022. This malicious software infiltrates systems often without the user's knowledge and can steal personal information, disrupt operations, or hold data hostage for ransom.	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Iron Tiger Threat Actor is associated with gh0st RAT. Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group believed to be aligned with China. The group has been involved in numerous cyber-espionage campaigns, targeting various entities including United States defense contractors and other international organizations. Their activities	Unspecified	3
The APT1 Threat Actor is associated with gh0st RAT. APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to tak	has used	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability A51a0bcce028966c4fcbb1581303980cf10669e0 templatex.txt win32/farfli.cuo Gh0st Rat is associated with gh0st RAT.	Unspecified	2

Source Document References

Information about the gh0st RAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	4 months ago	Multiple Threat Actors Moving Quickly to Exploit PHP Flaw
Securityaffairs	4 months ago	Multiple threat actors exploit PHP flaw CVE-2024-4577 to deliver malware
DARKReading	5 months ago	'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st
InfoSecurity-magazine	5 months ago	Chinese Hackers Leveraging 'Noodle RAT' Backdoor
Trend Micro	5 months ago	Noodle RAT Reviewing the New Backdoor Used by Chinese-Speaking Groups
Checkpoint	6 months ago	27th May – Threat Intelligence Report - Check Point Research
BankInfoSecurity	6 months ago	Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42	6 months ago	Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading	6 months ago	China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Securityaffairs	6 months ago	Chinese actor 'Unfading Sea Haze' remained undetected for five years
BankInfoSecurity	6 months ago	Unfading Sea Haze APT Targeting South China Sea Governments
BankInfoSecurity	6 months ago	Hackers Target US AI Experts With Customized RAT
DARKReading	6 months ago	US AI Experts Targeted in SugarGh0st RAT Campaign
Checkpoint	8 months ago	Malware Spotlight: Linodas aka DinodasRAT for Linux - Check Point Research
Malwarebytes	10 months ago	Malicious ads for restricted messaging applications target Chinese users \| Malwarebytes
CERT-EU	a year ago	Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	a year ago	A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets
CERT-EU	a year ago	New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
Unit42	a year ago	Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
CERT-EU	a year ago	Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT \| #cybercrime \| #infosec \| National Cyber Security Consulting