Ghost

Malware Profile Updated 3 days ago
Download STIX
Preview STIX
Ghost is a type of malware, or malicious software, that infiltrates systems to exploit and cause damage. It is often disseminated through suspicious downloads, emails, or websites, and can steal personal information, disrupt operations, or hold data hostage for ransom. In 2020, there were plans for a larger bilateral CDU/MDANG Ex Cyber Ghost operation, which marked the beginning of a new era in malware distribution. The concept of "ghost" accounts became more prominent, with these accounts organically promoting and distributing malicious links across various platforms. In 2023, Check Point Research identified a network of GitHub accounts, known as the Stargazers Ghost Network, that distributed malware or malicious links via phishing repositories. Some of these ghost accounts appeared to be created by the operators, while others seemed to be compromised normal GitHub accounts. This network was extremely successful in its campaigns, utilizing multiple accounts and profiles to perform different activities, from starring to hosting the repository, committing the phishing template, and hosting malicious releases. This strategy minimized their losses when GitHub took actions to disrupt their operations. Looking ahead, it is anticipated that future ghost accounts could potentially leverage Artificial Intelligence (AI) models to generate more targeted and diverse content, making it increasingly difficult to distinguish between legitimate content and malicious material. There are indications that the Atlantida Stealer campaigns, which specifically targeted social media-oriented users, may have been performed by Stargazer Goblin to obtain accounts for the Ghost networks. It is believed that Stargazer Goblin created a universe of Ghost accounts operating across various platforms such as GitHub, Twitter, YouTube, Discord, Instagram, Facebook, and many others.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ghostsec
3
GhostSec is a malicious software (malware) identified as a significant cybersecurity threat. This harmful program, designed to exploit and damage computers or devices, infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal pe
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Phishing
Vulnerability
Ransom
Fraud
Rat
Exploit
At
Youtube
Facebook
Sudan
Israel
Wordpress
Israeli
Hamas
Crypter
1password
France
Scam
Encrypt
Exploits
DNS
Malicious Link
Reconnaissance
Encryption
Macos
Russia
Android
Google
Meta
Github
Salesforce
Backdoor
Apt
Locker
RaaS
Ddos
Windows
Cloudzy
Ukraine
Espionage
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lockbitis related to
3
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
GhostlockerUnspecified
3
GhostLocker is a harmful malware developed by the cybercrime gang GhostSec, which has seen a significant surge in its hacking activities over the past year. The group has recently introduced an updated version of this malicious software, known as GhostLocker 2.0 ransomware, a Golang variant of the o
Akirais related to
2
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
ContiUnspecified
2
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Quarkbanditis related to
1
None
RhadamanthysUnspecified
1
Rhadamanthys is a malicious software (malware) that has been leveraged by the threat actor group TA547 to target German organizations. The malware, which infiltrates systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or hold data for ransom
AmadeyUnspecified
1
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
Granite TyphoonUnspecified
1
Granite Typhoon is a notable malware that has been implicated in several cyber-attacks on various organizations and entities. The malware, which operates by infiltrating systems through suspicious downloads, emails, or websites, has been linked to attacks on telecommunications firms in 2023, an oper
FaustUnspecified
1
Faust is a newly discovered variant of the Phobos ransomware, an evolution of the Dharma/Crysis ransomware. It shares similar Tactics, Techniques, and Procedures (TTPs) with other variants such as Elking, Eight, Devos, and Backmydata, indicating a likely connection between them. Researchers from For
MazeUnspecified
1
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
PhobosUnspecified
1
Phobos is a type of malware, specifically a ransomware, that has been a significant cause for concern in the cyber security world. This malicious software infiltrates systems through dubious downloads, emails, or websites and can cause severe damage by stealing personal information, disrupting opera
EkingUnspecified
1
Eking is a malware, specifically a variant of the Phobos ransomware family. Malware, or malicious software, is designed to infiltrate and damage computers without the users' consent. Eking can infect systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once insid
DevosUnspecified
1
Devos is a variant of Phobos ransomware, a type of malware that infects systems and holds data hostage for ransom. It is closely linked to other variants such as Elking, Eight, Backmydata, and Faust ransomware due to similar Tactics, Techniques, and Procedures (TTPs) observed in their intrusions. Op
gh0st RATis related to
1
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
Poison Ivyis related to
1
Poison Ivy is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold d
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Space Kookis related to
2
Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access br
AlphvUnspecified
2
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Zeonis related to
2
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
LockBitSuppUnspecified
1
LockBitSupp, also known as LockBit and putinkrab, is a notorious threat actor responsible for creating and operating one of the most prolific ransomware variants. The individual behind this persona, Dmitry Yuryevich Khoroshev, has been actively involved in ransomware attacks against organizations fo
Ruby SleetUnspecified
1
Ruby Sleet, also known as Ricochet Chollima and CERIUM, is a North Korean threat actor that has been actively targeting governmental and defense sectors across several countries. According to a Microsoft report, from November 2022 to January 2023, Ruby Sleet, in conjunction with another threat actor
GALLIUMUnspecified
1
Gallium, also known as Alloy Taurus, is a China-aligned threat actor known for executing actions with malicious intent in the cyber domain. In recent years, Gallium has been associated with various significant cyber-espionage campaigns. The group targeted telecommunication entities in the Middle Eas
Anonymous SudanUnspecified
1
Anonymous Sudan, a threat actor group known for its malicious cyber activities, has recently been the subject of increased attention in the cybersecurity industry. This entity, which could consist of a single individual, a private company, or part of a government organization, is responsible for exe
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lockbit's GhostUnspecified
2
None
CVE-2012-1033Unspecified
1
None
CVE-2022-41654Unspecified
1
None
CVE-2022-41697Unspecified
1
None
Zeon/ryukUnspecified
1
None
Source Document References
Information about the Ghost Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
3 days ago
Stargazers Ghost Network - Check Point Research
Securelist
16 days ago
Spear phishing techniques in mass phishing: a new trend
Unit42
2 months ago
Leveraging DNS Tunneling for Tracking and Scanning
CERT-EU
4 months ago
The effects of law enforcement takedowns on the ransomware landscape - Help Net Security
CERT-EU
4 months ago
Nigerian pleads guilty in BEC attack involvement
CERT-EU
4 months ago
The effects of law enforcement takedowns on the ransomware landscape - Help Net Security
CERT-EU
4 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
BankInfoSecurity
4 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
CERT-EU
5 months ago
Tax-related scams escalate as filing deadline approaches - Help Net Security
CERT-EU
5 months ago
Apple TV+ shows and movies: What to watch on Apple TV Plus
CERT-EU
5 months ago
Microsoft engineer who raised concerns about Copilot image creator pens letter to the FTC
Securityaffairs
5 months ago
Watch out, GhostSec and Stourmous groups jointly conducting ransomware attacks
CERT-EU
5 months ago
Watch out, GhostSec and Stourmous groups jointly conducting ransomware attacks | #ransomware | #cybercrime | National Cyber Security Consulting
DARKReading
5 months ago
GhostLocker 2.0 Haunts Businesses Across Middle East, Africa & Asia
CERT-EU
5 months ago
Techrights — Links 04/03/2024: Techno-Babble in Tech Job Ads and Vision Pro Already Breaking Apart
CERT-EU
5 months ago
Pennsylvania Fact-Checking, Syria, Florida Legislation, More: Sunday Afternoon ResearchBuzz, March 3, 2024
CERT-EU
5 months ago
Apple TV+ shows and movies: What to watch on Apple TV Plus
BankInfoSecurity
5 months ago
Stages of LockBit Grief: Anger, Denial, Faking Resurrection?
CERT-EU
5 months ago
Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
5 months ago
Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities