Sugargh0st

Malware Profile Updated a month ago
Download STIX
Preview STIX
SugarGh0st is a malicious software (malware) variant first identified by Cisco Talos in November of the previous year. The malware, believed to be connected to China, has been deployed in cyberespionage campaigns primarily targeting the Ministry of Foreign Affairs in Uzbekistan and users in South Korea. SugarGh0st, a fully functional backdoor capable of executing most remote control functionalities, shares code similarities with TunnelSpecter and is a Remote Access Trojan (RAT). Initial infections are suspected to trace back to phishing emails containing a malicious JavaScript serving as a SugarGh0st loader. The SugarGh0st RAT has been used by the China-linked SugarGh0st Team, alongside other espionage groups such as Cloud Atlas and Sticky Werewolf, who have targeted government agencies in Belarus. The malware communicates with an attacker-controlled Command and Control (C2) server to complete the infection chain. Notably, a self-extracting RAR file is often used in these attacks, which drops a decoy document, a dynamic link library (DLL) loader, encrypted malware (either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT), and a malicious Visual Basic (VB) script for establishing persistence. Researchers have noted Chinese language preferences present in the malware's code, suggesting its origin. The use of SugarGh0st RAT, particularly popular among Chinese threat actors, and the similar profile of its targets further corroborate this hypothesis. The malware variant has evolved since its inception, with an unidentified group using a modified version, nicknamed "SugarGh0st RAT," to spy on targets in South Korea and the Ministry of Foreign Affairs in Uzbekistan.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gh0st
3
Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware co
gh0st RAT
3
Gh0st RAT is a notorious malware that was originally developed by the C. Rufus Security Team in China and has been widely used for cyber espionage since its code leaked in 2008. This malicious software can infiltrate systems through suspicious downloads, emails, or websites, often without the user's
Unk_sweetspecter
1
UNK_SweetSpecter is a malware campaign that was first identified by researchers at the security vendor Proofpoint earlier this month. The threat actor behind this campaign, also named UNK_SweetSpecter, uses malicious software to exploit and damage computer systems, often infiltrating them through su
Tunnelspecter
1
TunnelSpecter is a malicious software (malware) that infiltrates systems through dubious downloads, emails, or websites. Once inside a system, it can cause substantial damage by stealing personal information, disrupting operations, or even holding data hostage for ransom. The malware is part of an a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Malware
Rat
Windows
Reconnaissance
Phishing
Loader
Backdoor
Tool
Visual Basic
Chinese
Proofpoint
Decoy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sugargh0st RatUnspecified
2
SugarGh0st RAT is a relatively new variant of the Gh0st RAT malware, first identified by researchers at Cisco Talos in November 2023. This Remote Access Trojan (RAT) has been used to carry out cyberespionage and surveillance campaigns against various targets, including government officials in Uzbeki
Gh0stratUnspecified
1
Gh0stRAT is a malware, specifically a Remote Access Trojan (RAT), that was first observed in 2008. Over the years, its publicly available source code has been modified by various authors and threat actors, resulting in several variants such as Sainbox. For over a decade, Gh0stRAT and related variant
Gh0st Remote Access TrojanUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cloud AtlasUnspecified
1
Cloud Atlas, a sophisticated threat actor group, has been actively involved in cyber-espionage activities against various nations, primarily targeting Russia and former Soviet Union countries such as Belarus, Kazakhstan, and Azerbaijan. This group employs advanced techniques to evade detection and e
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sugargh0st Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
a month ago
'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st
BankInfoSecurity
2 months ago
Active Chinese Cyberespionage Campaign Rifling Email Servers
BankInfoSecurity
2 months ago
Hackers Target US AI Experts With Customized RAT
DARKReading
2 months ago
US AI Experts Targeted in SugarGh0st RAT Campaign
InfoSecurity-magazine
2 months ago
SugarGh0st RAT Variant Used in Targeted AI Industry Attacks
CERT-EU
5 months ago
Russia and Belarus targeted by at least 14 nation-state hacker groups, researchers say | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Checkpoint
8 months ago
4th December – Threat Intelligence Report - Check Point Research
CERT-EU
8 months ago
Suspected China-based hackers target Uzbekistan gov’t, South Koreans, Cisco says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
DARKReading
8 months ago
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets