Gh0st RAT - SparTech Software

Gh0st RAT (Remote Access Trojan) is a notorious piece of malware designed for Windows platforms that enables attackers to remotely control infected computers. First developed and released by the Chinese group C. Rufus Security Team in 2008, its open-source nature has allowed cybercriminals and nation-state actors worldwide to customize and deploy it in a wide range of cyber espionage and cybercrime campaigns.

Key Capabilities

• Full remote control of the infected device’s screen.
• Real-time and offline keystroke logging (keylogging).
• Access to the infected machine’s webcam and microphone for live audio/video surveillance.
• Downloading and executing files remotely.
• Remote shutdown and reboot of the system.
• Disabling user input (mouse and keyboard).
• Listing and managing running processes.
• Clearing event logs and removing system hooks for stealth.
• Establishing persistence by registering itself as a Windows service.
• Opening remote shells for command execution.

Infection and Operation

Gh0st RAT is typically delivered through phishing emails containing malicious attachments. Once executed, the malware uses a dropper to install its components:
• User-level DLL: Installed as a Windows service, it registers the infected machine with the attacker’s command-and-control (C2) server and awaits instructions.
• Kernel-level driver: Manipulates the Windows System Service Dispatch Table (SSDT) to facilitate stealth and privilege escalation.
• Dropper: Prepares the system and installs the malware using techniques like DLL side-loading.

Communication and Stealth

Gh0st RAT communicates with its C2 server using encrypted and compressed packets. Each packet typically starts with a five-character “magic word” (default: “Gh0st”), which helps identify the malware’s traffic. The malware often uses zlib compression and encrypts its communications to evade detection by security tools.

Historical and Ongoing Use

Gh0st RAT gained international attention in 2009 during the “GhostNet” cyber-espionage operation, which targeted government offices, embassies, and the Dalai Lama’s Tibetan exile centers. Since its source code was leaked, numerous variants have emerged, some with enhanced features and targeting capabilities. It remains active in cyber-espionage campaigns, often attributed to Chinese-speaking or China-based threat actors, but its open-source status means it is used by a wide range of groups globally.

Notable Features and Variants

• Persistence: Registers as a service to survive reboots.
• Rootkit capabilities: Some variants include rootkits to hide files, processes, and registry keys.
• Variants: Numerous customized versions exist, such as “SugarGh0st,” with additional reconnaissance and evasion features.
• Targeting: Used against government, diplomatic, financial, healthcare, and educational institutions.

Silver Fox is ramping up attacks against Taiwan using malware variants linked to the Gh0st RAT family.
Silver Fox APT (also known as Void Arachne) has intensified cyberattacks against Taiwan using sophisticated malware variants linked to the Gh0st RAT family, including Winos 4.0 and ValleyRAT. While “Gh0stCringe” and “HoldingHands RAT” are not explicitly named in recent reports, the group’s tactics align with evolving Gh0st RAT derivatives.
Glossary: TrueSightKiller
TrueSightKiller is a C++-based tool designed to disable or terminate antivirus (AV) and endpoint detection and response (EDR) solutions on Windows systems, specifically those running Windows 23H2—even when advanced security features like Hypervisor-protected Code Integrity (HVCI), Windows Defender Application Control (WDAC), and Microsoft’s loldrivers blocklist are enabled.
New threat actor, HoldingHands, targeting organizations in Taiwan.
The “HoldingHands” threat actor is part of a broader, ongoing campaign targeting organizations in Taiwan since at least January 2025. The group employs a variety of malware tools, including the HoldingHands Remote Access Trojan (RAT), also known as Gh0stBins, as well as other malware strains such as Winos 4.0 and Gh0stCringe. These tools are often delivered through phishing emails that impersonate official communications from Taiwan’s National Taxation Bureau or other trusted entities, using lures related to taxes, invoices, and pensions to trick recipients into opening malicious attachments.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Key Capabilities

Infection and Operation

Communication and Stealth

Historical and Ongoing Use

Notable Features and Variants

Related