Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Gh0st RAT

64
Global rank
30 infographic chevron month
Month rank
33 infographic chevron week
Week rank
0
IOCs

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

RAT
Type
China
Origin
1 January, 2008
First seen
28 January, 2025
Last seen
Also known as
Ghost RAT

How to analyze Gh0st RAT with ANY.RUN

RAT
Type
China
Origin
1 January, 2008
First seen
28 January, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
How ANY.RUN Helps Healthcare Organizations Ag...
watchers 245
comments 0
post image
How to Prevent a Ransomware Attack on a Busin...
watchers 1089
comments 0
post image
How Threat Intelligence Lookup Helps Enterpri...
watchers 1066
comments 0

What is Gh0st RAT malware?

Gh0st RAT is one of the long-standing members of the global threat landscape. Launched in 2008, it remains in full operation to this day. The RAT part in the malware’s name stands for Remote Access Trojan, meaning that it provides attackers with the capacity to control the victim’s machine and manipulate it.

The original developers of Gh0st RAT were from China. However, due to the open-source nature of its code, criminals from many other countries have created their iterations of the malicious software. As a result, there are many versions of this trojan with varying sets of features.

If you're interested in exploring variants of Gh0st, we recommend reading our article about Gh0stBins, Gh0stBins, Chinese RAT: Malware Analysis, Protocol Description, RDP Stream Recovery.

The most notable aspect of Gh0st RAT is that it has been utilized by criminal groups linked to the Chinese government. For instance, in 2009, the malware was used to target Tibetan organizations. There were also instances of attacks on businesses in various fields, including healthcare and banking.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the Gh0st RAT malicious software

The standard set of features of Gh0st RAT includes the following:

  • Mouse and keyboard manipulation: The malware can record the keys that a user presses on their keyboard, as well as the movements of the mouse. Thus, attackers can discover passwords and other credentials used by the victim. It also can disable these devices.
  • Screenshot and webcam capturing: Gh0st can take a picture of the user's computer screen and webcam. This is often employed by threat actors to conduct surveillance.
  • Microphone recording: The malware is also capable of listening to the user's microphone.
  • File system access: The RAT can transfer files between the infected computer and its remote server. Subsequently, it can both steal sensitive information and drop additional malware, as well as execute it and run programs or scripts.
  • System reboot: It can restart the system to gain persistence and shut it down completely to prevent the victim from attempting to mitigate the threat.

To persist on the system, Gh0st RAT adds registry entries that allow it to automatically execute itself on every system startup. The malware can scan the system to determine if it is running inside a virtual machine and if antivirus software is installed. These actions help it hide its behavior from security analysts and avoid detection. It also utilizes encryption to obfuscate its functions.

Essentially, Gh0st operates similarly to other RAT malware families, such as njRAT and DCrat.

Execution process of Gh0st RAT

By uploading a sample of Gh0st RAT to ANY.RUN, an interactive sandbox for malware analysis, we can observe its malicious processes in detail and collect IOCs.

The execution process of the Gh0st Stealer typically begins with a user inadvertently downloading or executing a malicious file, often disguised as legitimate software or attached to phishing emails. Once executed, the malware establishes a connection to a remote command and control (C2) server, allowing the attacker to remotely control the infected system. This malware utilizes various system tools for execution, such as CMD in our example.

Gh0st Stealer then begins its data theft operations, scanning the system for sensitive information such as usernames, passwords, and financial data. Captured data is exfiltrated back to the attacker's server, where it can be used for malicious purposes or sold on the dark web. The malware may also maintain persistence on the compromised system, allowing for continued data theft and remote control capabilities. In our task stealer use steganography techniques in order to prevent the detection of hidden information – It hides an encrypted DLL file inside a downloaded JPEG image.

Gh0st process tree shown in ANY.RUN Gh0st process tree demonstrated in ANY.RUN

Gathering threat intelligence on Gh0st RAT malware

To collect up-to-date intelligence on Gh0st RAT, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Gh0st RAT.

Gh0st RAT ANY.RUN Search results for Gh0st RAT in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"gh0st" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from Gh0st RAT samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of the Gh0st RAT malware

As mentioned earlier, Gh0st RAT is often used in targeted campaigns against government organizations and businesses. In order to carry out them successfully, attackers implement the method of spear phishing.

This involves composing emails that are similar to those sent by legitimate entities to trick the victim into downloading a malicious attachment or clicking on an unsafe link.

Conclusion

Gh0stRAT is a veteran RAT with an open-source code that continues to be used by both individuals and organized groups in attacks around the world. Due to the fact that phishing campaigns constitute the key starting point of infection, businesses need to exercise extra vigilance when handling suspicious emails.

By analyzing all files and emails from unknown senders in ANY.RUN, companies can quickly identify whether they were targeted by criminals. The service offers conclusive verdicts on the malicious activities of samples and generates comprehensive reports, containing IOCs and configs to ensure future detection.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More