GhostNet is a targeted cyber-espionage malware operation/network documented by Information Warfare Monitor and Citizen Lab in 2009 in the report "Tracking GhostNet." It was described as a large-scale espionage campaign that infiltrated 1,295 computers across 103 countries. The operation was associated with intrusions against Tibetan organizations, including the Dalai Lama’s office and prominent Tibetans, and broader diplomatic and governmental targets. Reporting cited in the content says the investigation began at the request of the Dalai Lama, and later references describe GhostNet as largely traced to Chinese servers; some sources characterize it as a Chinese spying operation, but the content does not provide direct proof of Chinese government involvement. Reported capabilities included covert surveillance functions such as silently triggering webcams and surreptitiously activating audio inputs on compromised systems. The content also notes GhostNet as an example of an APT-style targeted malware operation and states that Poison Ivy had been used in other attacks including GhostNet. High-confidence indicators of compromise are not provided in the supplied content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cyber-espionage network uncovered after sensitive files were exfiltrated from Tibetan government computers; it was largely traced to Chinese servers.
Targeted cyber-espionage malware operation historically used to spy on Tibetan organizations and many government offices globally (as referenced for historical context).
Surveillance malware/program associated with covert activation of webcams and audio inputs for spying.
Referenced as a prior attack/toolset in which similar remote-access techniques were used.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.