Gh0stCringe
Gh0stCringe is a Gh0st RAT-derived remote access trojan and a more modern implementation of the Gh0st malware family. Reporting in the provided content states it is based on Gh0st RAT source code and has been used by several APT groups. It has been associated with Chinese threat activity, including campaigns linked to Silver Fox APT and operations attributed with moderate confidence to Alloy Taurus (GALLIUM/Softcell), and has also been referenced as part of Silver Fox’s earlier Gh0st RAT-based tooling alongside ValleyRAT/Winos 4.0 and HoldingHands RAT.
Observed delivery vectors include phishing emails carrying malware-laced PDF documents or ZIP files. In Taiwan-focused campaigns, phishing messages impersonated government entities or business partners and used tax, invoice, and pension themes. One documented chain used malicious PDFs that redirected victims to download pages hosting ZIP archives. Those archives contained legitimate executables, shellcode loaders, and encrypted shellcode; execution led to decryption of shellcode and DLL side-loading by legitimate binaries. Fortinet reported that these chains included anti-VM and privilege-escalation stages and culminated in a component named "msgDb.dat" that provided command-and-control, collected user information, and could download modules for file management and remote desktop functionality.
Gh0stCringe has been observed targeting users in Taiwan and being leveraged against government networks. In a separate Southeast Asian government intrusion cluster active from 2022 through 2023, attackers who had initially exploited Microsoft Exchange Server vulnerabilities attempted to deploy Gh0stCringe using droppers named Cssrs.exe, which dropped moon.exe, and later conhost.exe placed at C:\ProgramData\ESET\RemoteAdministrator\Agent\conhost.exe. That broader activity was assessed as long-term espionage.
High-confidence associations in the content include Silver Fox campaigns targeting Chinese-speaking users and Taiwan, and Alloy Taurus activity against a Southeast Asian government. The content does not provide a definitive standalone IOC set unique to Gh0stCringe beyond the filenames and paths noted above.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
"Another piece of malware that the attackers tried to use is Gh0stCringe, which is based on the source code of Gh0st RAT."
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"...phishing emails... malicious attachments embedded in phishing emails."
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Gh0st RAT derivative in the Silver Fox malware arsenal, referenced as part of the tooling lineage preceding AtlasCross RAT.
RAT-family malware used in Taiwan-targeted phishing activity attributed to Silver Fox.
A Gh0st RAT variant delivered through phishing lures (taxes/invoices/pensions) using multi-stage loaders, DLL sideloading, and anti-VM/privilege-escalation techniques to reach a final payload that provides C2, host reconnaissance, and remote administration (file management/remote desktop) via additional modules.
Gh0st RAT-derived malware used to establish a foothold; deployed via a dropper and executed under masqueraded filenames/paths (e.g., conhost.exe under an ESET directory).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.