Ghost

Malware updated 10 hours ago (2024-10-10T09:00:56.760Z)
Download STIX
Preview STIX
"Ghost" refers to a sophisticated malware and an encrypted communication platform used by criminals for various illicit activities. Check Point Research discovered a network of GitHub accounts, known as the Stargazers Ghost Network, that were distributing this malware or malicious links via phishing repositories. This discovery was part of a larger cyber landscape in 2020, which also saw planned bilateral CDU/MDANG Ex Cyber Ghost operations and cyberattacks against companies like Avis and authorities such as Russia's Osnovanie. The Ghost malware was not only limited to GitHub; it also infiltrated networks, a phenomenon referred to as "Ghost in the network." The Ghost platform, meanwhile, was an encrypted communication environment that facilitated global criminal activities. These activities ranged from large-scale drug trafficking to money laundering, and even instances of extreme violence. Australian police managed to penetrate this network through smart software engineering, modifying updates to turn devices into surveillance tools. Europol’s press release indicated that approximately 1,000 messages were exchanged daily on the Ghost app, revealing its widespread use among criminals. In a successful international operation, law enforcement and judicial authorities worldwide, coordinated by Europol and Eurojust, dismantled the Ghost platform. The platform was primarily used in New South Wales, but users were also found in Victoria, Western Australia, South Australia, and the ACT. The Ghost app supported advanced security features and accepted payments in cryptocurrency, making it attractive to criminals seeking anonymity. However, with its shutdown, a significant tool for organized crime has been neutralized.
Description last updated: 2024-10-10T08:15:37.924Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ghostsec is a possible alias for Ghost. GhostSec is a malicious software (malware) that has been identified as a significant threat to computer systems and data security. This malware, designed to exploit and damage computer systems, infiltrates user devices through suspicious downloads, emails, or websites without the user's knowledge. O
3
Stargazer Goblin is a possible alias for Ghost. Stargazer Goblin is a sophisticated malware entity that has been operating since August 2022. It has leveraged GitHub, a platform typically considered legitimate, to distribute various malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. This
2
Stargazers Ghost Network is a possible alias for Ghost. The Stargazers Ghost Network, identified by Check Point Research (CPR), is a malicious network of GitHub accounts that distribute malware and harmful links through phishing repositories. The network has been operating since at least August 2022, but its first public advertisement occurred in July 20
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Phishing
Exploit
Github
Facebook
Australian
Europol
Police
Ransom
Vulnerability
Rat
Fraud
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Ghost. LockBit is a notorious malware that has been involved in several high-profile ransomware incidents, including attacks on Boeing, London Drugs, Ontario hospitals, and Accenture. The malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the useris related to
3
The Ghostlocker Malware is associated with Ghost. GhostLocker is a harmful malware developed by the cybercrime gang GhostSec, which has seen a significant surge in its hacking activities over the past year. The group has recently introduced an updated version of this malicious software, known as GhostLocker 2.0 ransomware, a Golang variant of the oUnspecified
3
The Rhadamanthys Malware is associated with Ghost. Rhadamanthys is a type of malware, or malicious software, that has been designed to exploit and damage computer systems. It was first identified in 2022 and since then, it has been continually upgraded with advanced features. The threat actor group known as TA547 has been using Rhadamanthys to targeUnspecified
2
The Conti Malware is associated with Ghost. Conti is a type of malware, specifically a ransomware, that infiltrates computer systems to exploit and damage them. It was commonly used in cyberattacks by ITG23, a cybercriminal group which also used other malware like Trickbot and BazarLoader. The Conti ransomware was known for its sophisticated Unspecified
2
The Akira Malware is associated with Ghost. Akira is a malicious software known for its persistent and damaging attacks on various systems. This ransomware has been active since at least 2023, as reported by Sophos, and it operates by infiltrating systems often through suspicious downloads, emails, or websites, encrypting data, and demanding is related to
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Ghost. AlphV, also known as BlackCat, is a notable threat actor that has been operational since November 2021. This group has pioneered the public leaks business model in the realm of ransomware attacks and has been associated with significant cybercrimes. It is particularly infamous for its attack on MorrUnspecified
2
The Zeon Threat Actor is associated with Ghost. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as Bis related to
2
The Space Kook Threat Actor is associated with Ghost. Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access bris related to
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability Lockbit's Ghost is associated with Ghost. Unspecified
2
Source Document References
Information about the Ghost Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
RIA - Information System Authority
11 hours ago
Securityaffairs
11 days ago
ESET
15 days ago
Securityaffairs
18 days ago
BankInfoSecurity
21 days ago
Securityaffairs
21 days ago
BankInfoSecurity
22 days ago
InfoSecurity-magazine
22 days ago
Fortinet
a month ago
DARKReading
2 months ago
Checkpoint
3 months ago
Securelist
3 months ago
Unit42
5 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
BankInfoSecurity
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago