Ghost RAT
Ghost RAT is a remote access Trojan (RAT) / Trojan associated with Chinese threat activity. The content states it was developed by the Chinese threat actor C. Rufus Security Team, appears to date to 2008, and played a key role in the GhostNet campaign targeting Dalai Lama Tibetan exile centers. More recent reporting links Ghost RAT to multiple China-nexus intrusions and notes that some backdoors used by the Phantom Taurus espionage actor likely borrowed source code from Ghost RAT. Huntress also reported a 2025 campaign in which suspected China-affiliated actors used an exposed, unauthenticated phpMyAdmin interface to gain access, abused MariaDB general query logging to create a China Chopper-style web shell, managed the compromise with AntSword, deployed the legitimate Nezha monitoring agent as a staging and remote access mechanism, and then dropped and executed a Ghost RAT variant from C:\Windows\Cursors. In that activity, the Ghost RAT payload installed persistence, used a domain generation algorithm (DGA) for command-and-control, and was observed with a multi-stage loader and dynamic API resolution. Huntress said command blocks in the implant were consistent with China-nexus APT activity. The same reporting assessed more than 100 victim machines were compromised, primarily in Taiwan, Japan, South Korea, and Hong Kong, and noted Ghost RAT and AntSword have both been used previously in activity publicly attributed to Chinese APT groups. Additional content states Antiy linked SilverFox (YouSnake) activity to infections of more than 17,000 users with Ghost RAT. Reported indicators and artifacts include execution from C:\Windows\Cursors and published file names and paths for the Ghost RAT payload in the Huntress investigation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“...deploying backdoors that very likely borrowed source code from Ghost RAT, a Trojan developed by Chinese threat actor C. Rufus Security Team. Ghost RAT appears to date to 2008...”
“...deploying backdoors that very likely borrowed source code from Ghost RAT, a Trojan developed by Chinese threat actor C. Rufus Security Team. Ghost RAT appears to date to 2008...”
Huntress said Nezha was used in tandem with other families of malware and web shell management tools, such as Ghost RAT and AntSword. One of the first clues leading them to attribute the incident to Chinese actors was that, upon accessing the administrative interface of the compromised system, the hacker set the language to simplified Chinese. Minton added that even though Huntress stopped short of formally attributing the campaign to a specific Chinese threat actor, the use of Ghost RAT and AntSword was a clue because they both have been used before in activity publicly attributed to Chinese APT groups.
"...drop and run a Ghost RAT variant from 'C:\Windows\Cursors'. The RAT executable also installed a persistence mechanism and used a domain generation algorithm (DGA) for command & control (C2)."
"SilverFox activity: Antiy says the SilverFox (YouSnake) group infected over 17,000 users with the Ghost RAT..."
"SilverFox activity: Antiy says the SilverFox (YouSnake) group infected over 17,000 users with the Ghost RAT..."
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThis report focuses on the URLs embedded in emails that bypassed email security controls like secure email gateways (SEGs) to deliver malware.
Infection URLs are embedded in emails and represent the first action that a victim must take to become infected.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Huntress Uncovers Log Poisoning Campaign Linking Nezha and Ghost RAT in Widespread Asian Cyber Intrusions
Remote Access Trojan deployed via Nezha to provide persistent remote access and control over compromised systems.
Remote access trojan used for deeper persistence and post-compromise control; described as having a multi-stage loader, dynamic API resolution, DGA-based C2, and command blocks consistent with China-nexus APT activity.
Ghost RAT is a remote access trojan commonly used by Chinese APT groups for persistent access and espionage. It allows attackers to control infected systems remotely.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.