#gh0strat — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #gh0strat, aggregated by home.social.
-
Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT
#Gh0stRAT #DeepSeek
https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/ -
Happy Wednesday everyone!
#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.
Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!
GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting
-
Happy Wednesday everyone!
#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.
Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!
GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting
-
Happy Wednesday everyone!
#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.
Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!
GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting
-
Happy Wednesday everyone!
#GodRAT is a new remote trojan that is targeting financial institutions as reported by Kaspersky. According to their analysis, GodRAT is based on the #Gh0stRAT codebase and uses steganography to evade detection. It supports additional plugins that are used to explore the victim's systems, deploy browser password stealers, and during the attack they even deployed the #AsyncRAT as a backup to maintain access.
Looking at two password stealer payloads, it can give us some ideas of where to begin a hunt focused on this threat: Both the Chrome and MS Edge password stealer added an executable to the path %ALLUSERSPROFILE%\google\ and named them after the browser they were after ("chrome.exe" and "msedge.exe" respectfully). An interesting hunt would be to look at new executables added to this directory OR hunt for executables that may be masquerading as browser related executables! However you do it, get hunting!
GodRAT – New RAT targeting financial institutions
https://securelist.com/godrat/117119/Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #IntelDriveThreatHunting
-
DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery
#SainboxRAT #Gh0stRAT
https://www.netskope.com/blog/deepseek-deception-sainbox-rat-hidden-rootkit-delivery -
Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign
#SilverFox #Gh0stRAT
https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/ -
This is a destructive OPSEC failure.
PoC code is trivial to find along with a simple Censys query to uncover vulnerable hosts. The code itself supports a TXT file of URLs so....spray and pray method to find targets. Certain campaigns used #XMRig, GoThief, and backdoors like #Gh0stRAT and #PlugX.It should go without saying to not make your file servers open to the public but some didn't get the memo.
#HFS #CVE202423692 #ThreatIntel -
"👾 HiddenGh0st Malware: A Silent Menace to MS-SQL Servers 🖥️"
The HiddenGh0st malware, a variant of the notorious Gh0st RAT, has been wreaking havoc on MS-SQL servers. Developed by the C. Rufus Security Team from China, this malware has evolved, now deploying an open-source rootkit named Hidden to ensure its stealth and persistence on infected systems. The malware is distributed in a packed state to evade detection, and once unpacked, it communicates with its C&C server, receiving commands to execute various malicious activities. It's capable of keylogging, stealing account credentials via Mimikatz, and even enabling remote desktop for further exploitation. The primary targets appear to be Chinese users, given the malware's specific focus on QQ Messenger data exfiltration. The detailed analysis by AhnLab's ASEC provides a deep dive into its nefarious functionalities and the threat it poses to poorly managed MS-SQL servers.
Source: ASEC Blog
Tags: #HiddenGh0st #Gh0stRAT #MSSQL #Cybersecurity #MalwareAnalysis #Rootkit #ChineseCyberThreats #InfoSec #AhnLab 🇨🇳🔐🖥️
-
"👾 HiddenGh0st Malware: A Silent Menace to MS-SQL Servers 🖥️"
The HiddenGh0st malware, a variant of the notorious Gh0st RAT, has been wreaking havoc on MS-SQL servers. Developed by the C. Rufus Security Team from China, this malware has evolved, now deploying an open-source rootkit named Hidden to ensure its stealth and persistence on infected systems. The malware is distributed in a packed state to evade detection, and once unpacked, it communicates with its C&C server, receiving commands to execute various malicious activities. It's capable of keylogging, stealing account credentials via Mimikatz, and even enabling remote desktop for further exploitation. The primary targets appear to be Chinese users, given the malware's specific focus on QQ Messenger data exfiltration. The detailed analysis by AhnLab's ASEC provides a deep dive into its nefarious functionalities and the threat it poses to poorly managed MS-SQL servers.
Source: ASEC Blog
Tags: #HiddenGh0st #Gh0stRAT #MSSQL #Cybersecurity #MalwareAnalysis #Rootkit #ChineseCyberThreats #InfoSec #AhnLab 🇨🇳🔐🖥️
-
"👾 HiddenGh0st Malware: A Silent Menace to MS-SQL Servers 🖥️"
The HiddenGh0st malware, a variant of the notorious Gh0st RAT, has been wreaking havoc on MS-SQL servers. Developed by the C. Rufus Security Team from China, this malware has evolved, now deploying an open-source rootkit named Hidden to ensure its stealth and persistence on infected systems. The malware is distributed in a packed state to evade detection, and once unpacked, it communicates with its C&C server, receiving commands to execute various malicious activities. It's capable of keylogging, stealing account credentials via Mimikatz, and even enabling remote desktop for further exploitation. The primary targets appear to be Chinese users, given the malware's specific focus on QQ Messenger data exfiltration. The detailed analysis by AhnLab's ASEC provides a deep dive into its nefarious functionalities and the threat it poses to poorly managed MS-SQL servers.
Source: ASEC Blog
Tags: #HiddenGh0st #Gh0stRAT #MSSQL #Cybersecurity #MalwareAnalysis #Rootkit #ChineseCyberThreats #InfoSec #AhnLab 🇨🇳🔐🖥️
-
"👾 HiddenGh0st Malware: A Silent Menace to MS-SQL Servers 🖥️"
The HiddenGh0st malware, a variant of the notorious Gh0st RAT, has been wreaking havoc on MS-SQL servers. Developed by the C. Rufus Security Team from China, this malware has evolved, now deploying an open-source rootkit named Hidden to ensure its stealth and persistence on infected systems. The malware is distributed in a packed state to evade detection, and once unpacked, it communicates with its C&C server, receiving commands to execute various malicious activities. It's capable of keylogging, stealing account credentials via Mimikatz, and even enabling remote desktop for further exploitation. The primary targets appear to be Chinese users, given the malware's specific focus on QQ Messenger data exfiltration. The detailed analysis by AhnLab's ASEC provides a deep dive into its nefarious functionalities and the threat it poses to poorly managed MS-SQL servers.
Source: ASEC Blog
Tags: #HiddenGh0st #Gh0stRAT #MSSQL #Cybersecurity #MalwareAnalysis #Rootkit #ChineseCyberThreats #InfoSec #AhnLab 🇨🇳🔐🖥️
-
"👾 HiddenGh0st Malware: A Silent Menace to MS-SQL Servers 🖥️"
The HiddenGh0st malware, a variant of the notorious Gh0st RAT, has been wreaking havoc on MS-SQL servers. Developed by the C. Rufus Security Team from China, this malware has evolved, now deploying an open-source rootkit named Hidden to ensure its stealth and persistence on infected systems. The malware is distributed in a packed state to evade detection, and once unpacked, it communicates with its C&C server, receiving commands to execute various malicious activities. It's capable of keylogging, stealing account credentials via Mimikatz, and even enabling remote desktop for further exploitation. The primary targets appear to be Chinese users, given the malware's specific focus on QQ Messenger data exfiltration. The detailed analysis by AhnLab's ASEC provides a deep dive into its nefarious functionalities and the threat it poses to poorly managed MS-SQL servers.
Source: ASEC Blog
Tags: #HiddenGh0st #Gh0stRAT #MSSQL #Cybersecurity #MalwareAnalysis #Rootkit #ChineseCyberThreats #InfoSec #AhnLab 🇨🇳🔐🖥️
-
Asec: HiddenGh0st Malware Attacking MS-SQL Servers https://asec.ahnlab.com/en/57185/ #MalwareInformation #HiddenGh0st #Gh0stRAT #rootkit #Hidden #rat
-
While Gh0st RAT has been extensively used in various cyber campaigns linked to China over the years, the emergence of ValleyRAT suggests that it may see wider deployment in the future.
#Cybersecurity #Malware #Phishing #Trojan #Gh0stRAT #ValleyRAT