All news with #gh0st rat tag

Dragon Breath Deploys RONINGLOADER to Deliver Gh0st RAT

🔒 Elastic Security Labs and Unit 42 describe a China‑focused campaign in which the actor Dragon Breath uses a multi‑stage loader named RONINGLOADER to deliver a modified Gh0st RAT. The attack leverages trojanized NSIS installers that drop two embedded packages—one benign and one stealthy—to load a DLL and an encrypted tp.png file containing shellcode. The loader employs signed drivers, WDAC tampering, and Protected Process Light abuse to neutralise endpoint protections popular in the Chinese market before injecting a persistent high‑privilege backdoor.

Large-Scale Impersonation Campaigns Deliver Gh0st RAT

🔐 Palo Alto Networks Unit 42 identified two interconnected 2025 campaigns that used large-scale brand impersonation to deliver variants of the Gh0st remote access Trojan to Chinese-speaking users globally. The adversary evolved from simple droppers (Campaign Trio, Feb–Mar 2025) to sophisticated, multi-stage MSI-based chains abusing signed binaries, VBScript droppers and public cloud storage (Campaign Chorus, May 2025 onward). The report includes representative IoCs and mitigation guidance for Advanced WildFire, Cortex XDR and allied protections.

Chinese-Linked Hackers Weaponize Nezha via Log Poisoning

🔒 Huntress reported that threat actors with suspected ties to China abused a vulnerable phpMyAdmin panel in August 2025 to perform log poisoning, recording a PHP web shell into a query log and naming the file with a .php extension. The actors used the web shell (accessed via ANTSWORD) to deploy the open-source Nezha agent and inventory over 100 hosts—primarily in Taiwan, Japan, South Korea and Hong Kong. The Nezha agent facilitated execution of an interactive PowerShell script that created Microsoft Defender exclusions and launched Gh0st RAT via a loader and dropper.