#ghostweaver — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #ghostweaver, aggregated by home.social.
-
----------------
🔬 Malware Analysis — GhostWeaver
GhostWeaver is a fileless PowerShell remote access trojan that leverages GZip-compressed JSON inside TLS 1.0 sessions on port 25658 for command-and-control. Multiple vendors label detections as Pantera; attribution links the payload to TA582 operating via the TAG-124 traffic distribution system, with Recorded Future and Mandiant mappings to TA582/UNC4108.
Key technical observations:
• Delivery and persistence: Early PE32 GUI droppers (May 2022) transitioned to fileless PS1 delivery via TAG-124 by 2024. PS1 builds share a mutex (euzizvuze), pinned TLS certificate, and port 25658. Two size classes appear in builds (~280–330 KB and ~610–630 KB).
• C2 and protocol: C2 communication uses TLS 1.0 and transports GZip-compressed JSON payloads. Four distinct DGA systems were mapped across the kill chain. Live C2 addresses observed: 178.156.128.182 (v0.20, Hetzner) and 86.107.101.93 (v0.23, Redoubt Networks).
• Implant behavior and installer: A captured C2 served a byte-identical 206 KB persistence installer within 170 ms; that installer decodes to a ~58 KB PowerShell framework with four persistence modes, a CMSTPLUA UAC bypass, and PEB masquerade to explorer.exe. AV detection of captured installer is low (VirusTotal score 1/76 in the sample reported).
• Evasion and ecosystem: The toolset includes AV-aware install logic, custom DNS resolver chains to bypass corporate filtering, and sandbox/decoy handling (MintsLoader used for target scoring and sandbox evasion). Huntress reported large-scale compromise counts (10,000+ machines in a BOINC-themed campaign).
• Sample set and tracing: 16 samples (11 PS1, 4 PE32, 1 JS) span May 2022–March 2026 across four C2 clusters and 16 infrastructure nodes. TLS cert pinning uses a specific self-signed 4096-bit cert SHA256 fingerprint; multiple builds were enumerated (v0.20–v0.23 observed live).This analysis documents a mature fileless RAT with multiple DGAs, persistence options, and active C2 infrastructure. Technical indicators include mutex euzizvuze, port 25658, pinned cert fingerprint, and the noted C2 IPs. #GhostWeaver #TA582 #Pantera #TAG124
🔗 Source: https://www.derp.ca/research/ghostweaver-tag124-powershell-rat/
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html
-
NOTE: This has been updated to correct the malware names. Thanks, @netresec!
2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT
Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.
A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html