Gh0strat

Malware Profile Updated 2 months ago

Download STIX

Preview STIX

Gh0stRAT is a malware, specifically a Remote Access Trojan (RAT), that was first observed in 2008. Over the years, its publicly available source code has been modified by various authors and threat actors, resulting in several variants such as Sainbox. For over a decade, Gh0stRAT and related variants have been consistently exploited in different cybercrime circles. Recently, Proofpoint researchers have noted a minor resurgence in the use of Sainbox and other Chinese-themed malware, which has sparked interest among analysts assessing the broader impact of older malware. In 2023, Proofpoint observed an increase in the use of Sainbox, a variant of Gh0stRAT. Additionally, a handful of Chinese language campaigns were seen delivering older Gh0stRAT variants. Nearly all these Sainbox campaigns used invoice-themed lures spoofing Chinese office and invoicing companies. This trend continued into 2024 with the May campaign, dubbed UNK_SweetSpecter, employing SugarGh0st RAT, a remote access trojan tailored from the Gh0stRAT. The combination of older malware like Sainbox and newly uncovered malware like ValleyRAT may challenge the dominance of the Russian-speaking cybercrime market on the threat landscape. The continued use and evolution of Gh0stRAT variants indicate a persistent threat to cybersecurity. It's crucial for organizations to stay vigilant against these threats, particularly as they evolve and adapt to new security measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Fatalrat	1	FatalRAT, also known as Sainbox, is a variant of the Gh0st RAT malware that targets Windows platforms. Initially identified by Proofpoint in 2020, it has become popular with the PurpleFox threat actor group. Once infiltrated into a system, FatalRAT can log keystrokes and download and install additio
Valleyrat	1	ValleyRAT, a new malware first identified by Proofpoint in March 2024 and initially reported by Chinese cybersecurity firm Qi An Xin in February 2023, has emerged on the cybercrime scene. The malicious software is written in C++ and carries functionalities typical of remote access trojans, such as f
Sainbox	1	Sainbox, also known as FatalRAT, is a variant of the Gh0st RAT trojan malware that has been increasingly deployed in cybercrime activities, particularly those associated with suspected Chinese cybercrime operations. Proofpoint researchers have observed over 30 separate campaigns leveraging this malw

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Trojan

Chinese

Rat

Proofpoint

Windows

Cybercrime

Malware

Exploit

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sugargh0st	Unspecified	1	SugarGh0st is a malicious software (malware) variant first identified by Cisco Talos in November of the previous year. The malware, believed to be connected to China, has been deployed in cyberespionage campaigns primarily targeting the Ministry of Foreign Affairs in Uzbekistan and users in South Ko

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Gh0strat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
BankInfoSecurity	2 months ago	Hackers Target US AI Experts With Customized RAT
InfoSecurity-magazine	2 months ago	SugarGh0st RAT Variant Used in Targeted AI Industry Attacks
CERT-EU	10 months ago	Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape \| Proofpoint US
CERT-EU	10 months ago	New Spike in Malware from Chinese Cybercriminals Floods the Threat Landscape – Proofpoint Research – Global Security Mag Online
CERT-EU	10 months ago	A Wave of Chinese Cyberthreat Campaigns Use Old and New Malware
CERT-EU	10 months ago	Threat Roundup for September 22 to September 29
CERT-EU	10 months ago	Cyber Security Week in Review: September 22, 2023