gh0st RAT

Malware Profile Updated 3 days ago
Download STIX
Preview STIX
Gh0st RAT is a malicious software (malware) designed to exploit and damage computer systems. It is capable of infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data for ransom. Gh0st RAT has been used in multiple cyber operations including Operation Diplomatic Specter, with variants like Win32/Farfli.BLH, Win32/Farfli.BUR, and Win32/Farfli.CUO identified in the second Windows cluster. The malware's methods include spear-phishing and exploiting vulnerabilities in network infrastructure to establish long-term presence. Security researchers have identified an Advanced Persistent Threat (APT) group dubbed Unfading Sea Haze that uses malware based on Gh0st RAT, as well as a web shell alternative called SharpJSHandler. This group's activities generally parallel Chinese office hours, employ tools typically used by Chinese APT groups, use malware with Mandarin language code comments and debug strings, and utilize Chinese Virtual Service providers for multiple Command and Control (C2) servers. It's important to note that Gh0st RAT's source code leaked back in 2008 and is now effectively open-source and widely used by various attackers. SweetSpecter, a variant of Gh0st RAT, implements the malware’s known TCP communication scheme by sending a zlib compressed TCP packet to the command and control server. Code similarities were found between SweetSpecter and TunnelSpecter, a new variant of Gh0st RAT that emerged in November 2023, which was observed targeting governments in Asia. Customized Gh0st RAT samples were also discovered during these attacks, including a large file named Tpwinprn.dll, reinforcing the adaptable and persistent nature of this malware.
What's your take? (Question 1 of 5)
02edf043-9d59-4102-bd0f-9b125beae1e3 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gh0st
5
Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware co
Sugargh0st
3
SugarGh0st is a potent malware strain that was first detected by Cisco Talos in November of the previous year. This malicious software, believed to be linked to Chinese hackers, has been used for cyberespionage campaigns against various entities worldwide. The malware has been particularly active si
Gh0stcringe
2
Gh0stCringe is a sophisticated malware that has been identified as a variant of Gh0st RAT, an infamous Remote Access Trojan (RAT) known for its capabilities to grant remote control to infected machines. This malicious software is designed to exploit and damage computer systems, often infiltrating th
win32/farfli.cuo
2
Win32/Farfli.CUO is a highly malicious software, also known as malware, that has been specifically designed to exploit and damage computer systems. This particular strain of malware can infiltrate systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst t
Sainbox
2
Sainbox, also known as FatalRAT, is a variant of the Gh0st RAT trojan malware that has been increasingly deployed in cybercrime activities, particularly those associated with suspected Chinese cybercrime operations. Proofpoint researchers have observed over 30 separate campaigns leveraging this malw
Fatalrat
2
FatalRAT, also known as Sainbox, is a variant of the Gh0st RAT malware that targets Windows platforms. Initially identified by Proofpoint in 2020, it has become popular with the PurpleFox threat actor group. Once infiltrated into a system, FatalRAT can log keystrokes and download and install additio
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Windows
Backdoor
Chinese
Phishing
Apt
Trojan
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
win32/farfli.bur Gh0st RatUnspecified
2
None
win32/farfli.cuo Gh0st RatUnspecified
2
The Win32/Farfli.CUO Gh0st RAT is a significant vulnerability that poses a threat to the security of Windows systems. It represents a flaw in software, design, or implementation that allows unauthorized access and control over affected systems. This variant of the Gh0st RAT (Remote Access Trojan) ha
MiraiUnspecified
2
Mirai is a notorious malware that targets Internet of Things (IoT) devices to form a botnet, which can then be used to launch distributed denial-of-service (DDoS) attacks. In early 2022, Mirai botnets accounted for over 7 million detections, highlighting the widespread nature of this threat. However
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT1has used
2
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to tak
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
Source Document References
Information about the gh0st RAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
3 days ago
27th May – Threat Intelligence Report - Check Point Research
BankInfoSecurity
7 days ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
7 days ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
CERT-EU
8 months ago
Malware-spreading phishing attacks target Chinese users
CERT-EU
6 months ago
Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak | Mandiant
MITRE
a year ago
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Malwarebytes
4 months ago
Malicious ads for restricted messaging applications target Chinese users | Malwarebytes
InfoSecurity-magazine
a year ago
Russia’s Invasion Sparks Global Wiper Malware Surge
CERT-EU
a year ago
Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets | WeLiveSecurity
CERT-EU
8 months ago
New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
Checkpoint
2 months ago
Malware Spotlight: Linodas aka DinodasRAT for Linux - Check Point Research
BankInfoSecurity
8 months ago
Financially Motivated Hacks by Chinese-Speaking Actors Surge
CERT-EU
8 months ago
Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT
MITRE
a year ago
Two Birds, One STONE PANDA
BankInfoSecurity
8 days ago
Unfading Sea Haze APT Targeting South China Sea Governments
MITRE
a year ago
GALLIUM: Targeting global telecom
Securityaffairs
7 days ago
Chinese actor 'Unfading Sea Haze' remained undetected for five years
CERT-EU
a year ago
Китайская программа Sunlogin Remote Control активно применяется хакерами для проведения BYOVD-атак