Sugargh0st

Malware updated 4 months ago (2024-06-22T00:17:46.478Z)
Download STIX
Preview STIX
SugarGh0st is a malicious software (malware) variant first identified by Cisco Talos in November of the previous year. The malware, believed to be connected to China, has been deployed in cyberespionage campaigns primarily targeting the Ministry of Foreign Affairs in Uzbekistan and users in South Korea. SugarGh0st, a fully functional backdoor capable of executing most remote control functionalities, shares code similarities with TunnelSpecter and is a Remote Access Trojan (RAT). Initial infections are suspected to trace back to phishing emails containing a malicious JavaScript serving as a SugarGh0st loader. The SugarGh0st RAT has been used by the China-linked SugarGh0st Team, alongside other espionage groups such as Cloud Atlas and Sticky Werewolf, who have targeted government agencies in Belarus. The malware communicates with an attacker-controlled Command and Control (C2) server to complete the infection chain. Notably, a self-extracting RAR file is often used in these attacks, which drops a decoy document, a dynamic link library (DLL) loader, encrypted malware (either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT), and a malicious Visual Basic (VB) script for establishing persistence. Researchers have noted Chinese language preferences present in the malware's code, suggesting its origin. The use of SugarGh0st RAT, particularly popular among Chinese threat actors, and the similar profile of its targets further corroborate this hypothesis. The malware variant has evolved since its inception, with an unidentified group using a modified version, nicknamed "SugarGh0st RAT," to spy on targets in South Korea and the Ministry of Foreign Affairs in Uzbekistan.
Description last updated: 2024-06-22T00:16:39.794Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
gh0st RAT is a possible alias for Sugargh0st. Gh0st RAT is a malicious software (malware) that has been in use for over 15 years. It is an open-source remote access tool known for exploiting vulnerabilities in systems, most notably the PHP flaw which it targeted within 24 hours of disclosure. This malware was observed as part of Operation Diplo
3
Gh0st is a possible alias for Sugargh0st. Gh0st is a form of malware, or malicious software, that has been used in a variety of cyber attacks to exploit and damage computer systems. Notably, it was used in Operation Diplomatic Specter, where the Gh0st RAT (Remote Access Trojan) sample and Specter malware family were deployed. The malware co
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Malware
Rat
Reconnaissance
Phishing
Windows
Loader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sugargh0st Rat Malware is associated with Sugargh0st. SugarGh0st RAT is a relatively new variant of the Gh0st RAT malware, first identified by researchers at Cisco Talos in November 2023. This Remote Access Trojan (RAT) has been used to carry out cyberespionage and surveillance campaigns against various targets, including government officials in UzbekiUnspecified
2