Ghost

Malware updated 4 days ago (2024-11-29T13:57:05.840Z)
Download STIX
Preview STIX
The "Ghost" malware, first discovered in 2020, is a sophisticated and successful malicious software that has been discreetly distributed via a network of GitHub accounts known as the Stargazers Ghost Network. This network utilizes open-source and legitimate software repositories to exploit trust and spread malware, demonstrating a high level of sophistication and success in its campaigns. The threat actor behind this attack has notably used the Stargazers Ghost Network to distribute a specific piece of malware known as GodLoader. Throughout September and October 2024, the Stargazers Ghost Network operated as a Distribution as a Service (DaaS), enabling the “legitimate” distribution of malware, including GodLoader, through GitHub repositories. Check Point Research identified that this network not only distributes malware or malicious links via phishing repositories but also has high infection rates, making it a significant threat. The same archive was found to be distributed by the network on multiple occasions, specifically on September 12, September 14, and September 29, 2024. The attackers behind the Ghost malware were able to exploit three critical weaknesses present across today's Software as a Service (SaaS) landscape, one of which aligns with Ghost Logins. These vulnerabilities have allowed the Stargazers Ghost Network to successfully distribute all sorts of malware, including GodLoader, marking a new and successful method for gaining initial access to systems. As such, it's crucial for organizations to remain vigilant about potential threats from seemingly legitimate sources and take appropriate cybersecurity measures.
Description last updated: 2024-11-28T11:49:59.492Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ghostsec is a possible alias for Ghost. GhostSec is a malware program that has been involved in significant cybercrime activities. Notably, this malicious software is designed to exploit and damage computer systems, infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once inside, GhostSec can steal
3
Stargazer Goblin is a possible alias for Ghost. Stargazer Goblin is a sophisticated malware entity that has been operating since August 2022. It has leveraged GitHub, a platform typically considered legitimate, to distribute various malware families, including Atlantida Stealer, Rhadamanthys infostealer, RisePro, Redline, and Lumma Stealer. This
2
Stargazers Ghost Network is a possible alias for Ghost. The Stargazers Ghost Network, a malicious threat actor identified by Check Point Research, has been using GitHub accounts to distribute malware or malicious links through phishing repositories. This group operates and maintains the network, employing a novel technique that enhances the perceived leg
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Exploit
Phishing
Facebook
Australian
Europol
Police
Ransom
Vulnerability
Rat
Fraud
Github
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Ghost. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers oris related to
3
The Ghostlocker Malware is associated with Ghost. GhostLocker is a harmful malware developed by the cybercrime gang GhostSec, which has seen a significant surge in its hacking activities over the past year. The group has recently introduced an updated version of this malicious software, known as GhostLocker 2.0 ransomware, a Golang variant of the oUnspecified
3
The Rhadamanthys Malware is associated with Ghost. Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tactUnspecified
2
The Conti Malware is associated with Ghost. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
2
The Akira Malware is associated with Ghost. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glois related to
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Ghost. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
2
The Zeon Threat Actor is associated with Ghost. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as Bis related to
2
The Space Kook Threat Actor is associated with Ghost. Space Kook is a threat actor, or malicious entity, identified in the cybersecurity industry for its involvement in ransomware operations. Named after a villain from Scooby Doo, Space Kook was first linked to malicious activities by Halcyon's analysis, which showed connections to an initial access bris related to
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability Lockbit's Ghost is associated with Ghost. Unspecified
2
Source Document References
Information about the Ghost Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
5 days ago
Recorded Future
18 days ago
DARKReading
22 days ago
BankInfoSecurity
2 months ago
RIA - Information System Authority
2 months ago
Securityaffairs
2 months ago
ESET
2 months ago
Securityaffairs
2 months ago
BankInfoSecurity
2 months ago
Securityaffairs
2 months ago
BankInfoSecurity
2 months ago
InfoSecurity-magazine
3 months ago
Fortinet
3 months ago
DARKReading
4 months ago
Checkpoint
4 months ago
Securelist
5 months ago
Unit42
7 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago