home.social

#ghostweaver — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #ghostweaver, aggregated by home.social.

  1. ----------------

    🔬 Malware Analysis — GhostWeaver

    GhostWeaver is a fileless PowerShell remote access trojan that leverages GZip-compressed JSON inside TLS 1.0 sessions on port 25658 for command-and-control. Multiple vendors label detections as Pantera; attribution links the payload to TA582 operating via the TAG-124 traffic distribution system, with Recorded Future and Mandiant mappings to TA582/UNC4108.

    Key technical observations:
    • Delivery and persistence: Early PE32 GUI droppers (May 2022) transitioned to fileless PS1 delivery via TAG-124 by 2024. PS1 builds share a mutex (euzizvuze), pinned TLS certificate, and port 25658. Two size classes appear in builds (~280–330 KB and ~610–630 KB).
    • C2 and protocol: C2 communication uses TLS 1.0 and transports GZip-compressed JSON payloads. Four distinct DGA systems were mapped across the kill chain. Live C2 addresses observed: 178.156.128.182 (v0.20, Hetzner) and 86.107.101.93 (v0.23, Redoubt Networks).
    • Implant behavior and installer: A captured C2 served a byte-identical 206 KB persistence installer within 170 ms; that installer decodes to a ~58 KB PowerShell framework with four persistence modes, a CMSTPLUA UAC bypass, and PEB masquerade to explorer.exe. AV detection of captured installer is low (VirusTotal score 1/76 in the sample reported).
    • Evasion and ecosystem: The toolset includes AV-aware install logic, custom DNS resolver chains to bypass corporate filtering, and sandbox/decoy handling (MintsLoader used for target scoring and sandbox evasion). Huntress reported large-scale compromise counts (10,000+ machines in a BOINC-themed campaign).
    • Sample set and tracing: 16 samples (11 PS1, 4 PE32, 1 JS) span May 2022–March 2026 across four C2 clusters and 16 infrastructure nodes. TLS cert pinning uses a specific self-signed 4096-bit cert SHA256 fingerprint; multiple builds were enumerated (v0.20–v0.23 observed live).

    This analysis documents a mature fileless RAT with multiple DGAs, persistence options, and active C2 infrastructure. Technical indicators include mutex euzizvuze, port 25658, pinned cert fingerprint, and the noted C2 IPs. #GhostWeaver #TA582 #Pantera #TAG124

    🔗 Source: derp.ca/research/ghostweaver-t

  2. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  3. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  4. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  5. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2

  6. NOTE: This has been updated to correct the malware names. Thanks, @netresec!

    2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

    Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

    A #pcap of the infection traffic, some artifacts, and further details are available at malware-traffic-analysis.net/2