gh0st RAT
Gh0st RAT is a remote access trojan/backdoor family whose source code was released publicly in 2008 and which has remained in use by multiple threat actors and APT groups. It first gained major public attention in 2009 when GhostNet used it against diplomatic, political, economic, and military targets worldwide. The malware is associated in the provided content with Chinese threat activity and tooling ecosystems, including use by or alongside groups such as Wicked Panda/APT41, Webworm/Space Pirates, and references tied to STONE PANDA-related personas; the content also notes continued use of Gh0st RAT variants in recent operations and that ValleyRAT/Winos 4.0 derives from the Gh0st RAT family.
Across the provided reporting, Gh0st RAT is described as a Windows-focused RAT capable of opening a remote shell to execute commands, injecting malicious code into processes via a "Command_Create&Inject" function, checking for an existing Service key to determine whether it is already installed, and using zlib compression on C2 data before encryption. It is also referenced in ATT&CK mappings for downloading additional payloads, registry-based persistence, and input capture. One analyzed variant used by a Splunk-tracked loader enabled SeDebugPrivilege, executed via rundll32.exe after being decrypted from the loader’s resources, and established persistence through Windows Run keys, service creation, and abuse of the RemoteAccess service by creating a malicious entry under SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip and restarting the service to obtain SYSTEM-level execution. That same variant detected VMware via HKEY_CLASSES_ROOT\Applications\VMwareHostOpen.exe, used a dead-drop resolver based on a Sina blog page title to derive possible C2 information, killed the process associated with DNS port 53, modified DNS behavior and the hosts file to block security-related domains including Alyac, Ahnlab, and V3lite, flushed DNS with ipconfig /flushdns, collected MAC address and physical drive serial information, and keylogged mstsc.exe RDP sessions using GetKeyState and GetAsyncKeyState.
Observed delivery and deployment methods in the content include execution by loaders that decrypt and drop the RAT DLL under random names and folders on C:\ before launching it with rundll32.exe; DLL sideloading chains; and installation on vulnerable Windows MySQL servers after attackers scan TCP/3306, gain access through brute force, dictionary attacks, or exploitation, and abuse MySQL UDF DLLs to execute OS commands. The content also references modified Gh0st payloads, debug-style samples containing Gh0st source code, and use in broader malware clusters alongside tools such as PlugX, Trochilus, Poison Ivy, DarkComet, and CloverPlus adware.
High-confidence indicators and artifacts directly mentioned in the content include the Splunk-reported loader SHA-256 fda9864b1aa230b60d0c736559415ac9c79e240cce411daed5da2facb9ced87c; a dead-drop URL pattern hxxp://blog[.]sina[.]com[.]cn/u/<id>; Sophos-referenced Gh0st-source-containing samples d86f1292d83948082197f0a29fcb69fdec9feb4bf3898d7b8e693c7d5a28099c and 64613eadd91a803fe103bef5349db04ddfc01b8d115ba7a24a694563123d38ad; Symantec-listed Gh0st-related samples 1e725f1fe67d1a596c9677df69ef5b1b2c29903e84d7b08284f0a767aedcc097, b0a58c6c859833eb6fb1c7d8cb0c5875ab42be727996bcc20b17dd8ad0058ffa, and 1CC32C7F2C90A558BA5FF6BA191E655B20D7C65C10AF0D5D06820A28C2947EFD; and a 2017 sideloading scenario in which a malicious DLL was attributed as Gh0st RAT.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“RAT malware such as Gh0stRAT and PlugX often used by Chinese threat actors…”
Groups observed using it
23 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Starting in 2023, the hackers moved to stealthier tools like the abuse of msbuild.exe to load C# payloads from remote SMB shares, as well as variants of the Gh0stRAT malware.
While the source code for Gh0st RAT was released online in 2008, the malware has continued to be used by advanced persistent threat (APT) groups. ... Gh0st RAT first made headlines back in 2009, when a cyber-espionage group called GhostNet used it to target diplomatic, political, economic, and military targets around the world.
While the source code for Gh0st RAT was released online in 2008, the malware has continued to be used by advanced persistent threat (APT) groups. ... Gh0st RAT first made headlines back in 2009, when a cyber-espionage group called GhostNet used it to target diplomatic, political, economic, and military targets around the world.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
While the source code for Gh0st RAT was released online in 2008, the malware has continued to be used by advanced persistent threat (APT) groups. ... Gh0st RAT first made headlines back in 2009, when a cyber-espionage group called GhostNet used it to target diplomatic, political, economic, and military targets around the world.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
In this case, however, it contains the source code of the infamous gh0st RAT.
In this case, however, it contains the source code of the infamous gh0st RAT.
In this case, however, it contains the source code of the infamous gh0st RAT.
The fake FBI domain is one of the group’s favourites... five of which are observed to be used as the C2 server for malware such as KEYPLUG, SOGU, Cobalt Strike BEACON, GRAYRABBIT and Gh0st.
Attacks mounted by the group have leveraged remote access trojans (RATs) like Trochilus RAT, Gh0st RAT, and 9002 RAT.
Sample 3: Gh0stRAT Variant ... This is a Gh0stRAT variant compiled with MSVC.
the group had deployed publicly available malware including gh0st RAT, QUASARRAT, and AMADEY
Live config extraction reveals stock Gh0st RAT defaults and fabricated WHOIS data with a Chinese registrant email — Silver Fox APT's continued expansion into Japan.
Malware used include: Aryan, Gh0st RAT, Rifdoor, Phandoor, and Andarat.
At the final stage, the attacker deploys a modified version of gh0st RAT, granting full remote access to the infected system for data theft, lateral movement, and long-term espionage.
The code and functions are similar to the malware Gh0stRAT, which is also used by BlackTech.
Nezha, which ensured Microsoft Defender exclusions before launching Gh0st RAT.
Attackers “deploy[ed] Nezha to remotely execute commands and deliver Gh0st RAT,” compromising more than 100 systems worldwide.
Appendix A lists "Gh0st RAT" under Malware.
APT40 has used a combination of tool frameworks and malware to establish persistence, escalate privileges, map, and move laterally on victim networks. ... Gh0stRAT
Tools: Sysupdate, China Chopper, OwaAuth, ZxShell, Gh0st RAT, PoisonIvy, Hunter, PlugX, Enfal, HttpBrowser, 9002, ASPXSpy, HyperBro
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesAPT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.
Previous research on the group’s activity found that it uses custom loaders hidden behind decoy documents...
Persistence
3 techniquesThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
In that research, the version of Gh0st RAT included features such as ... network service creation...
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
5 techniquesThe content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
Access Token Manipulation: T1134 This Gh0st RAT variant adjusts its process token to enable “SeDebugPrivilege”, allowing it to interact with and manipulate other processes.
In that research, the version of Gh0st RAT included features such as ... network service creation...
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
The logexts.dat file is obfuscated and includes several User Account Control (UAC) bypasses.
Stealth
8 techniquesThe content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
Access Token Manipulation: T1134 This Gh0st RAT variant adjusts its process token to enable “SeDebugPrivilege”, allowing it to interact with and manipulate other processes.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
The decrypted DLL is then executed using the rundll32.exe Windows application, as shown in Figure 02.
Then the file unpacks and executes in memory its backdoor payload, a variant of the Trochilus RAT...
Delay Execution: T1678 Figure 08 shows a code snippet from Gh0st RAT implementing a ping-based sleep technique. The malware leverages ping.exe with the -n parameter to introduce a delay in execution.
Defense Impairment
1 techniqueCredential Access
1 techniqueDiscovery
6 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
System Network Configuration Discovery: T1016 This RAT also collects basic network information from the compromised host, including the MAC address.
Remote System Discovery: T1018 This Gh0st RAT variant can block access to specific domains, such as security-related websites, by utilizing a configuration file retrieved from its Command and Control (C2) server.
System Owner/User Discovery: T1033 Figure 05 shows a screenshot of a function within this RAT that identifies the process associated with DNS traffic on port 53.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 technique远程桌面 实时屏幕控制、多显示器支持、H.264 编码、自适应质量;Web 远程桌面:基于 WebSocket 实现,支持手机/平板通过浏览器访问远程桌面
Collection
2 techniquesInput Capture: Keylogging: T1056.001 Lastly, this RAT monitors the mstsc.exe process, which is the client used for Remote Desktop Protocol (RDP) connections in Windows.
T1113 Agent Tesla, AsyncRAT, Braodo Stealer, gh0st RAT, Lumma Stealer, njRAT, PlugX, RedLine Stealer, Remcos, XWorm
Command and Control
8 techniquesSome Backdoor.Oldrea samples use standard Base64 + bzip2... gh0st RAT has used Zlib to compress C2 communications data before encrypting it... HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.
C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
Application Layer Protocol: DNS: T1071.004 Figure 10 shows a code snippet from Gh0st RAT responsible for generating spoofed DNS responses.
Web Service: Dead Drop Resolver: T1102.001 If the malware detects that it is running inside a VMware virtual machine, it spawns a separate thread responsible for performing a dead drop resolver (DDR) routine.
MITRE ATT&CK Technique Malware Families T1105 0bj3ctivity Stealer, Agent Tesla, Amadey, AsyncRAT, Castle RAT, DarkCrystal RAT, gh0st RAT, Lokibot, njRAT, PlugX, QuasarRAT, RedLine Stealer, Remcos
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
According to the Remote Access Trojan definition, a RAT is a form of malware that provides the perpetrator remote access and control of the infected computer or server.
Unlike the last cluster however, this variant appears to have been used in an extensive DDNS cluster of infrastructure dating back to at least 2013... that campaign appeared to have slightly different tactics, techniques, and procedures (TTPs), including potentially target-themed domain infrastructure as well as heavily relying on dynamic DNS for C2 domains.
IOCs tracked for this family
121 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
139 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad.
A remote access trojan used by Webworm and also noted as deployed by SixLittleMonkeys.
A widely reused remote access trojan whose source code became public in 2008. In Webworm-linked activity, modified variants included obfuscation, network service creation, UAC bypassing, and shellcode unpacking and in-memory execution to hinder analysis and bypass protections.
Referenced as the malware family lineage whose panel builders ship default Chinese placeholder config strings such as 默认备注 and 默认分组. It provides family context for the ValleyRAT implant and its builder artifacts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.