gh0st RAT

Malware updated 2 months ago (2024-07-11T19:17:42.081Z)
Download STIX
Preview STIX
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Variants of Gh0st RAT have been detected in several cybersecurity incidents, such as Operation Diplomatic Specter, where it was used alongside the Specter malware family, and the Cloud Snooper Campaign in 2018, where Sophos reported a Linux version of the Gh0st RAT variant. The Gh0st RAT has demonstrated its adaptability with multiple variants appearing in different cyberattacks. For instance, the second Windows cluster identified Gh0st RAT variants Farfli.BLH, Farfli.BUR, and Farfli.CUO in various file formats. The Akamai Security Intelligence Response Team (SIRT) also warned that threat actors were exploiting PHP vulnerability CVE-2024-4577 to deliver multiple malware families, including Gh0st RAT, RedTail cryptominers, and XMRig. A modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," was used to spy on targets in South Korea and the Ministry of Foreign Affairs in Uzbekistan. The Noodle RAT malware has shown several similarities to Gh0st RAT, leading to speculation about shared origins or collaboration among Chinese-speaking groups. Both Noodle RAT and Gh0st RAT use similar plugins and packet encryption algorithms, as seen in Gh0st RAT variants like Gh0stCringe, HiddenGh0st, and Gh0stTimes. However, differences in their code led Trend Micro to conclude that while the plugins may have been reused, the backdoor mechanisms are completely different. This highlights the evolving nature of malware and the importance of continuous vigilance and advanced cybersecurity measures to counter these threats.
Description last updated: 2024-07-11T19:15:39.240Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gh0st
5
Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware co
Gh0stcringe
4
Gh0stCringe is a variant of Gh0st RAT, a notorious malware that has been used in numerous cyber attacks. This malicious software is designed to exploit and damage computers or devices by infiltrating the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once in
Sugargh0st
3
SugarGh0st is a malicious software (malware) variant first identified by Cisco Talos in November of the previous year. The malware, believed to be connected to China, has been deployed in cyberespionage campaigns primarily targeting the Ministry of Foreign Affairs in Uzbekistan and users in South Ko
win32/farfli.cuo
2
Win32/Farfli.CUO is a highly malicious software, also known as malware, that has been specifically designed to exploit and damage computer systems. This particular strain of malware can infiltrate systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst t
Sainbox
2
Sainbox, also known as FatalRAT, is a variant of the Gh0st RAT trojan malware that has been increasingly deployed in cybercrime activities, particularly those associated with suspected Chinese cybercrime operations. Proofpoint researchers have observed over 30 separate campaigns leveraging this malw
Fatalrat
2
FatalRAT, also known as Sainbox, is a variant of the Gh0st RAT malware that targets Windows platforms. Initially identified by Proofpoint in 2020, it has become popular with the PurpleFox threat actor group. Once infiltrated into a system, FatalRAT can log keystrokes and download and install additio
Sugargh0st Rat
2
SugarGh0st RAT is a relatively new variant of the Gh0st RAT malware, first identified by researchers at Cisco Talos in November 2023. This Remote Access Trojan (RAT) has been used to carry out cyberespionage and surveillance campaigns against various targets, including government officials in Uzbeki
win.noodlerat
2
Win.NOODLERAT is a malware variant that functions as a backdoor into infected systems, allowing unauthorized access and control. It is part of the Noodle RAT family, which has two versions: one for Windows (Win.NOODLERAT) and another for Linux (Linux.NOODLERAT). This malicious software infiltrates s
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Windows
Backdoor
Chinese
Encryption
Vulnerability
Apt
Trojan
Exploit
Phishing
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
Noodle RATUnspecified
2
Noodle RAT, also known as ANGRYREBEL or Nood RAT, is a new strain of malware that has been active since at least 2018. This malicious software, used by Chinese-speaking groups for espionage or cybercrime, was introduced in a Botconf 2024 presentation by Trend Micro Research. The Windows version of N
win32/farfli.bur Gh0st RatUnspecified
2
None
win32/farfli.cuo Gh0st RatUnspecified
2
The Win32/Farfli.CUO Gh0st RAT is a significant vulnerability that poses a threat to the security of Windows systems. It represents a flaw in software, design, or implementation that allows unauthorized access and control over affected systems. This variant of the Gh0st RAT (Remote Access Trojan) ha
MiraiUnspecified
2
Mirai is a type of malware that specifically targets Internet of Things (IoT) devices such as smart speakers, cameras, and connected home equipment. It exploits weak Telnet (port 23) and SSH (port 22) credentials to gain control over these devices. Once infected, these devices are then incorporated
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Iron TigerUnspecified
3
Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group known for executing malicious actions with the intent of espionage. The group became prominent after its involvement in Operation Iron Tiger, which was reported in 2015. This operation was a series of Chinese cyber-espionage att
APT1has used
2
APT1, also known as Unit 61398 or Comment Crew, is a notorious cyber-espionage group believed to be part of China's People's Liberation Army (PLA) General Staff Department's 3rd Department. This threat actor has been linked with several high-profile Remote Access Trojans (RATs), enabling them to tak
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
A51a0bcce028966c4fcbb1581303980cf10669e0 templatex.txt win32/farfli.cuo Gh0st RatUnspecified
2
None
Source Document References
Information about the gh0st RAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
2 months ago
Multiple Threat Actors Moving Quickly to Exploit PHP Flaw
Securityaffairs
2 months ago
Multiple threat actors exploit PHP flaw CVE-2024-4577 to deliver malware
DARKReading
3 months ago
'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st
InfoSecurity-magazine
3 months ago
Chinese Hackers Leveraging 'Noodle RAT' Backdoor
Trend Micro
3 months ago
Noodle RAT Reviewing the New Backdoor Used by Chinese-Speaking Groups
Checkpoint
3 months ago
27th May – Threat Intelligence Report - Check Point Research
BankInfoSecurity
3 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
Unit42
3 months ago
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
DARKReading
3 months ago
China APT Stole Geopolitical Secrets From Middle East, Africa & Asia
Securityaffairs
4 months ago
Chinese actor 'Unfading Sea Haze' remained undetected for five years
BankInfoSecurity
4 months ago
Unfading Sea Haze APT Targeting South China Sea Governments
BankInfoSecurity
4 months ago
Hackers Target US AI Experts With Customized RAT
DARKReading
4 months ago
US AI Experts Targeted in SugarGh0st RAT Campaign
Checkpoint
5 months ago
Malware Spotlight: Linodas aka DinodasRAT for Linux - Check Point Research
Malwarebytes
7 months ago
Malicious ads for restricted messaging applications target Chinese users | Malwarebytes
CERT-EU
9 months ago
Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
9 months ago
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets
CERT-EU
a year ago
New Report Uncovers 3 Distinct Clusters of China-Nexus Attacks on Southeast Asian Government
Unit42
a year ago
Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
CERT-EU
a year ago
Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT | #cybercrime | #infosec | National Cyber Security Consulting