Skip to main content
Mallory
Back to threat actors
1 malware family

GhostNet

Also known asGhostNet

GhostNet is a cyber-espionage group/operation publicly reported in 2009. The provided content states that GhostNet used Gh0st RAT to target diplomatic, political, economic, and military entities worldwide. It is described as a surveillance ring believed to be operating from China, though the content does not provide definitive attribution to the Chinese state. The content further states that GhostNet stole documents from the Dalai Lama and from entities in more than 103 countries. Researchers later distinguished a separate espionage operation, Shadow Network, from the earlier GhostNet activity, noting that GhostNet was the earlier campaign. No additional aliases or sub-groups are provided in the content beyond the name GhostNet itself.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Military
MITRE ATT&CK

Tradecraft

11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589
Gather Victim Identity Information
T1598
Phishing for Information
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
1 technique
T1204
User Execution
TA0003
Persistence
1 technique
T1542
Pre-OS Boot
TA0005
Stealth
1 technique
T1542
Pre-OS Boot
TA0009
Collection
3 techniques
T1005×3
Data from Local System
T1114
Email Collection
T1125
Video Capture
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
gh0st RATWhile the source code for Gh0st RAT was released online in 2008, the malware has continued to be used by advanced persistent threat (APT) groups. ... Gh0st RAT first made headlines back in 2009, when a cyber-espionage group called GhostNet used it to target diplomatic, political, economic, and military targets around the world.1May 26, 2026
ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
symantec enterprise blogsNews
May 16, 2026
Webworm: Espionage Attackers Testing and Using Older Modified RATs | SECURITY.COM

Cyber-espionage group historically noted for using Gh0st RAT against diplomatic, political, economic, and military targets worldwide.

Read more
wikipedia cyber incidentsNews
May 3, 2017
PoisonIvy - Wikipedia

GhostNet appears only in a generic Wikipedia navigation list of hacking groups, without any discussion tying it to the PoisonIvy content.

Read more
wikipedia cyber incidentsNews
Sep 30, 2015
Hupigon - Wikipedia

Groups Anonymous associated events Avalanche Crime Boys GNAA Goatse Security Insanity Zine Corp. GhostNet Level Seven PLA Unit 61398 Prime Suspectz RBN ShadowCrew World of Hell Sandworm

Read more
wikipedia cyber incidentsNews
Feb 6, 2013
AFX Windows Rootkit 2003 - Wikipedia

Groups Anonymous associated events Avalanche Crime Boys GNAA Goatse Security Insanity Zine Corp. GhostNet Level Seven PLA Unit 61398 Prime Suspectz RBN ShadowCrew World of Hell Sandworm

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping11

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.