Gh0strat

Gh0stRAT is a Remote Access Trojan (RAT) malware first observed in 2008, and it has been consistently exploited in various cybercrime circles for over a decade. It gained notoriety when its source code was publicly released by a Chinese hacker group called C. Rufus Security, leading to its widespread use by nation-state and criminal actors in several threat campaigns. Over the years, multiple authors and threat actors have made various modifications to Gh0stRAT, resulting in forked variants like Sainbox and SugarGh0st RAT, a remote access trojan used in the May 2024 campaign dubbed UNK_SweetSpecter. Cybersecurity firm Proofpoint has recently noted an increase in the variant of Gh0stRAT known as Sainbox. This resurgence of Sainbox and other Chinese-themed malware has sparked interest among analysts assessing the broader impact of older malware on current systems. In addition to Sainbox, Proofpoint also observed a few Chinese language campaigns in 2023 delivering older Gh0stRAT variants, indicating a continued reliance on these established tools within certain threat actor communities. The blend of historic malware such as Sainbox and newer threats like ValleyRAT may challenge the dominance that Russian-speaking cybercrime markets have on the threat landscape. According to FortiGuard Labs researchers, this sophisticated malware framework derived from Gh0stRAT can execute multiple actions remotely and provides attackers with extensive control over affected systems. The end of the infection chain often involves dropping Gh0stRAT and supplementary hacking tools like Mimikatz, further illustrating its continued prominence in the global cyber threat environment.