Gh0st RAT spread through thousands of software impersonating sites

More than 2,000 domains impersonating popular, legitimate software were used to spread the Gh0st remote access trojan (RAT) in increasingly sophisticated attacks,Palo Alto Networks Unit 42 reported Friday.Gh0st RAT malware provides attackers with remote shell access to the victim’s machine and enables the download of additional payloads as well as keystroke logging and screenshot capture.In two related campaigns running from February-March 2025 and throughout May 2025, attackers targeting Chinese speakers with the lure of software downloads specifically popular among this demographic. This includes Chinese-language translation and dictionary software, as well as software designed to get around Chinese state censorship, such as VPNs and encrypted messengers.The first wave of the campaign, dubbed “Campaign Trio,” specifically impersonated three popular brands: i4tools, a software tool for managing files from Apple devices, Youdao, a Chinese dictionary and translation application, and the AI application DeepSeek.Campaign Trio leveraged a network of more than 2,000 domains hosted at three IP addresses to distribute fake software downloads that led to deployment of Gh0st RAT. The malicious domains followed a naming convention that included the brand name followed by a seemingly random alphanumeric suffix and used a variety of top-level domains (TLDs) such as .top, .vip and .rest.The domains appeared to be registered using an automated system that created more than 300 domains per week between mid-February and mid-March 2025. The mass creation of domains pointed to a “burn-and-churn” technique where domain infrastructure was viewed as disposable and resilience was achieved through the sheer volume and spread of malicious websites.The first campaign used a Microsoft Installer (MSI) based malware delivery method, with the malware installation hidden among many other seemingly benign actions. The malicious files for all of the domains in this first wave were retrieved from a single URL, https[:]//xiazailianjieoss[.]com.The MSI file, contained in a ZIP archive downloaded by the victim, would use a custom action to execute a second-stage executable called [System Proces]5.exe, which would then download, decode and execute an obfuscated binary retrieved from known Gh0st RAT distribution endpoint “fs-im-kefu[.]7moor-fs1[.]com.”Evolution of both the social engineering and malware delivery tactics from Campaign Trio were seen in the May 2025 campaign dubbed “Campaign Chorus,” due to its impersonation of more than 40 software apps rather than the original three first observed. This wave of attacks included spoofing of other popular Chinese-language software such as the music streaming app QQ Music and the Sogou web browser.Campaign Chorus added about 90 more domains in two waves, with the first wave using the prefix guwaanzh in all domains and the second wave using the prefix xiazaizhadia. All of these domains were hosted at the IP address 95[.]173[.]197[.]195, with Wave 1 using the redirection server djbzdhygj[.]com and Wave 2 using the redirection server yqmqhjgn[.]com.The attackers shifted their payload delivery infrastructure from their own server to a legitimate cloud service bucket, making it more likely that network traffic to and from this service would appear benign. They also adopted a stealthier malware delivery method using a VBScript-based dropper.In the Campaign Chorus attacks, the malicious MSI file stored multiple data files within its .cab archive and would trigger a VBScript to merge these separate files into a single encrypted binary and then decrypt the binary to produce the next-stage malware. This method strengthens the payload’s resistance to static analysis tools.The newest campaign also utilized DLL sideloading for further evasiveness. The binaries reconstructed by the VBScript include a legitimate signed executable “wsc_proxy.exe” and the malicious DLL “wsc.dll.” When wsc_proxy.exe is run, wsc.dll is loaded into the legitimate process, masking its malicious nature.In addition to these two distinctive attack waves, the attackers behind Campaign Trio and Campaign Chorus have continuously registered impersonation domains, with new domains registered as recently as October 2025.Due to the attackers’ evolving tactics and evasion methods designed to defeat static analysis and traditional network defenses, Unit 42 notes that defenders should use behavior-based methods to flag anomalies related to these and other malicious campaigns.Palo Alto Networks’ analysis comes as Elastic Security Labsalso reporteda separate Gh0st RAT campaign targeting Chinese users, attributed tothe Dragon Breath advanced persistent threat (APT).This campaign uses fake Google Chrome and Microsoft Teams downloads to fool users, abuses Protected Process Light (PPL) to disable Windows Defender and leverages a custom Windows Defender Application Control (WDAC) policy to block endpoint detection and response (EDR) tools 360 Total Security and Huorong, which are popular in China.