Gh0strat

Gh0stRAT is a Remote Access Trojan (RAT) malware first observed in 2008 when its customized variant's source code was publicly released by a Chinese hacker group, C. Rufus Security. This led to its widespread use by nation-state and criminal actors in various threat campaigns. Over the years, multiple authors and threat actors have modified Gh0stRAT, creating forked variants like Sainbox. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Proofpoint has noted an increase in the use of a variant of Gh0stRAT known as Sainbox, as well as a resurgence of other Chinese-themed malware. This trend has sparked interest among analysts assessing the broader impact of older malware on the threat landscape. In addition to Sainbox, Proofpoint also observed several Chinese language campaigns in 2023 delivering older Gh0stRAT variants. These developments suggest that the blend of historic malware like Sainbox and newer threats like ValleyRAT could challenge the dominance of the Russian-speaking cybercrime market. In May 2024, a campaign named UNK_SweetSpecter employed SugarGh0st RAT, a trojan tailored from Gh0stRAT. Furthermore, Gh0stRAT has been found to be a common commercial hacking tool in Chinese circles, with increasing usage of MSIs (Microsoft Installer packages). At the end of its infection chain, another malware called UULoader has been observed dropping Gh0stRAT and supplementary hacking tools like Mimikatz, particularly in Southeast Asia. This continual evolution and adaptation of Gh0stRAT highlight its enduring relevance in the global cybersecurity landscape.