GhostWeaver
GhostWeaver is a fileless, in-memory PowerShell remote access trojan (RAT) primarily delivered by the MintsLoader multi-stage loader. Reporting ties it to TA582, which Mandiant tracks as UNC4108, and places it downstream of SocGholish/FakeUpdates-style fake browser update activity and TAG-124/LandUpdate808 operations. It has been observed in campaigns targeting Windows endpoints, including organizations in industrial, legal, and energy sectors in the United States and Europe.
GhostWeaver maintains command-and-control over raw TCP wrapped in TLS 1.0 on port 25658, using a custom protocol with 4-byte length headers and GZip-compressed JSON. It uses four distinct domain generation algorithm (DGA) routines to generate delivery and C2 domains, and also directly queries hardcoded public DNS resolvers to bypass local or enterprise DNS controls. Researchers observed active C2 nodes at 178.156.128.182 and 86.107.101.93, and reported a pinned self-signed TLS certificate with subject CN=GeoTrust LTD. AV detections commonly label the malware as Pantera, including Microsoft detection Trojan:PowerShell/Pantera.MV!MTB. Shared identifiers reported across builds include mutex value "euzizvuze" and port 25658.
The malware is designed for stealth and persistence. It runs without a disk-resident executable or DLL and receives a PowerShell persistence framework from C2 after infection. That framework implements four AV-aware persistence modes selected according to the antivirus present on the host, including plaintext and DPAPI-encrypted payload storage. Reported persistence behavior includes a hidden scheduled task running every three minutes via conhost --headless PowerShell, reading payload content from %LOCALAPPDATA%\Microsoft{random_subfolder}{funcName}.log, and a registry marker at HKCU:\Software\Microsoft\ExpirienceHost. The installer also uses a CMSTPLUA COM-object UAC bypass with PEB masquerading to impersonate explorer.exe, disables the Task Scheduler operational event log, terminates the current process, and relies on the scheduled task to restart the implant.
GhostWeaver supports reflective loading of .NET DLL plugins without disk artifacts. Reported plugin capabilities include browser credential theft, Outlook data theft, crypto wallet theft, form grabbing and web injection via a MITM proxy, HTML manipulation, and redeployment of MintsLoader back to the victim. Researchers observed that active C2 servers accepted beacons immediately and pushed a byte-identical persistence installer within about 170 ms, with no challenge-response, version check, or group verification.
Delivery is commonly gated by MintsLoader, which performs sandbox and VM evasion checks such as VM detection, GPU type, and CPU cache-level profiling before deciding whether to deliver GhostWeaver or a decoy payload. This anti-analysis behavior has contributed to prior misclassification of related activity as AsyncRAT in some reporting. GhostWeaver was named by TRAC Labs in February 2025 and is characterized in the reporting as non-commodity malware not observed on underground forums, GitHub, Telegram, or known cracked-tool repositories.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GhostWeaver is a fileless PowerShell RAT that maintains command-and-control (C2) over GZip-compressed JSON inside TLS 1.0 connections on port 25658. AV vendors detect it as Pantera.
GhostWeaver is a fileless PowerShell RAT (remote access trojan) that adapts its installation to whichever antivirus is running on the machine... It communicates over TLS on port 25658... It generates its own server addresses through four separate DGA routines...
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"They sit downstream of the SocGholish fake browser update chain"
Execution
3 techniquesStep 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver Scheduled task: conhost --headless powershell -ep bypass Azure{FunctionName} every 3 minutes.
Step 2 - Execution: PowerShell Stager (MintsLoader Core) T1059.001, T1562.001, T1027, T1140 | MintsLoader HTTP response returns Base64-encoded, XOR-decoded payload.
"Injected JS: fake browser update prompt"; "ChrоmeUpdаteInstаller.js"; "JS stager"
Persistence
2 techniquesStep 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver Scheduled task: conhost --headless powershell -ep bypass Azure{FunctionName} every 3 minutes.
Privilege Escalation
3 techniquesStep 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver Scheduled task: conhost --headless powershell -ep bypass Azure{FunctionName} every 3 minutes.
Step 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver
UAC bypass via CMSTPLUA COM object - PEB masquerade via VirtualProtectEx / WriteProcessMemory to impersonate explorer.exe , then COM elevation via CoGetObject("Elevation:Administrator!new:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}")
Stealth
7 techniques"The PS1 source is a single line of 280-630 KB using arithmetic char encoding"; "Arithmetic-obfuscated payload"
"swapping process metadata to pose as Windows Explorer so the COM security check passes."
Step 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver
"We deobfuscated the PowerShell source (855 strings across three obfuscation layers)"; "decoded the C2 wire protocol"
"Before the RAT arrives, a profiler called MintsLoader runs three checks... virtual machine, the GPU type, and the number of CPU cache levels... withheld the payload."
"VM check (Get-MpComputerStatus IsVirtualMachine)"; "GPU check"; "CPU cache check"; "[High score = sandbox] --> Decoy"
Plugins loaded reflectively via Assembly.Load (no disk), obfuscated with Confuser.Core 1.6.
Defense Impairment
1 techniqueCredential Access
3 techniques"The plugin system supports credential theft from browsers, Outlook, and crypto wallets"
"The four persistence modes range from a simple plaintext file to DPAPI (Data Protection API)-encrypted payloads."
Discovery
6 techniques"ip External IP via api.ipify.org"
"User $env:COMPUTERNAME"; "Callback: POST http://{DGA4}/htr.php?id={hostname}"
"OS Windows version string"; "Performance Win32_ComputerSystem.Domain"; "GPU check (Win32_VideoController)"; "CPU cache check (Win32_CacheMemory)"
"Before the RAT arrives, a profiler called MintsLoader runs three checks... virtual machine, the GPU type, and the number of CPU cache levels... withheld the payload."
"VM check (Get-MpComputerStatus IsVirtualMachine)"; "GPU check"; "CPU cache check"; "[High score = sandbox] --> Decoy"
"Antivirus WMI SecurityCenter2 query"; "installer selects one at random unless it detects specific AV products"
Collection
1 techniqueCommand and Control
6 techniques"The wire format is a 4-byte little-endian length header followed by GZip-compressed JSON"
"GhostWeaver skips HTTP entirely. It communicates over raw TCP on port 25658, wrapped in TLS 1.0"
ATT&CK Mapping Technique ID Chain Phase ... Ingress Tool Transfer T1105 Payload delivery
Step 4 - C2 Resolution: Domain Generation Algorithm T1568.002 | MintsLoader, GhostWeaver Four distinct DGA algorithms across kill chain stages.
"It hardcodes five public DNS resolvers... and queries them directly... Your internal DNS, your sinkhole... none of them ever see the request."
"It communicates over TLS on port 25658, a non-standard port..." and "TLS 1.0... on port 25658"
Other
1 techniqueIOCs tracked for this family
31 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PowerShell RAT and primary payload delivered by MintsLoader. Provides persistent remote access, plugin-based credential and data theft, scheduled-task persistence, UAC bypass via CMSTPLUA COM, reflective .NET loading, and can redeploy MintsLoader.
See also: GhostWeaver: a PowerShell RAT that lives up to its name
Fileless, in-memory PowerShell RAT with AV-aware persistence selection, multi-stage DGA-based C2, direct queries to hardcoded public DNS resolvers to bypass enterprise DNS controls, and TLS-encrypted C2 over a non-standard port. Includes a plugin system supporting credential theft (browsers/Outlook/crypto wallets), MITM web injection via proxy, and a loader/RAT redeployment loop; disables Task Scheduler event logging after establishing scheduled-task persistence.
Fileless PowerShell-based remote access trojan that communicates over raw TCP (port 25658) wrapped in TLS 1.0 using a pinned self-signed certificate, exchanging GZip-compressed JSON. Supports plugin delivery (reflective .NET DLL loading), system command execution, persistence installation (scheduled task every 3 minutes), and evasion (custom DNS resolvers, obfuscation, UAC bypass via CMSTPLUA with PEB masquerade).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.