{ "id": "a793184d-1907-4758-8cf3-03d0079e1fc2", "created_at": "2026-04-06T00:22:00.698399Z", "updated_at": "2026-04-10T13:12:00.146158Z", "deleted_at": null, "sha1_hash": "0d99f6199d12a5f7025bdfec727ac48f29875a22", "title": "GhostNet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 139911, "plain_text": "GhostNet\r\nBy Contributors to Wikimedia projects\r\nPublished: 2009-03-29 · Archived: 2026-04-02 10:55:33 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nGhostNet (simplified Chinese: 幽灵网; traditional Chinese: 幽靈網; pinyin: YōuLíngWǎng) is the name given by\r\nresearchers at the Information Warfare Monitor to a large-scale cyber spying[1][2] operation discovered in March\r\n2009. The operation is likely associated with an advanced persistent threat, or a network actor that spies\r\nundetected.[3] Its command and control infrastructure is based mainly in the People's Republic of China and\r\nGhostNet has infiltrated high-value political, economic and media locations[4] in 103 countries. Computer systems\r\nbelonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile\r\ncenters in India, London and New York City were compromised.\r\nGhostNet was discovered and named following a 10-month investigation by the Infowar Monitor (IWM), carried\r\nout after IWM researchers approached the Dalai Lama's representative in Geneva[5] suspecting that their computer\r\nnetwork had been infiltrated.[6] The IWM is composed of researchers from The SecDev Group and Canadian\r\nconsultancy and the Citizen Lab, Munk School of Global Affairs at the University of Toronto; the research\r\nfindings were published in the Infowar Monitor, an affiliated publication.[7] Researchers from the University of\r\nCambridge's Computer Laboratory, supported by the Institute for Information Infrastructure Protection,\r\n[8]\r\n also\r\ncontributed to the investigation at one of the three locations in Dharamshala, where the Tibetan government-in-exile is located. The discovery of the 'GhostNet', and details of its operations, were reported by The New York\r\nTimes on March 29, 2009.[7][9] Investigators focused initially on allegations of Chinese cyber-espionage against\r\nthe Tibetan exile community, such as instances where email correspondence and other data were extracted.[10]\r\nCompromised systems were discovered in the embassies of India, South Korea, Indonesia, Romania, Cyprus,\r\nMalta, Thailand, Taiwan, Portugal, Germany and Pakistan and the office of the Prime Minister of Laos. The\r\nforeign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan were also\r\ntargeted.[1][11] No evidence was found that U.S. or U.K. government offices were infiltrated, although a NATO\r\ncomputer was monitored for half a day and the computers of the Indian embassy in Washington, D.C., were\r\ninfiltrated.[4][11][12]\r\nSince its discovery, GhostNet has attacked other government networks, for example Canadian official financial\r\ndepartments in early 2011, forcing them off-line. Governments commonly do not admit such attacks, which must\r\nbe verified by official but anonymous sources.[13]\r\nTechnical functionality\r\n[edit]\r\nhttps://en.wikipedia.org/wiki/GhostNet\r\nPage 1 of 4\n\nEmails are sent to target organizations that contain contextually relevant information. These emails contain\r\nmalicious attachments, that when opened, enable a Trojan horse to access the system.[citation needed] This Trojan\r\nconnects back to a control server, usually located in China, to receive commands. The infected computer will then\r\nexecute the command specified by the control server. Occasionally, the command specified by the control server\r\nwill cause the infected computer to download and install a Trojan known as Gh0st Rat that allows attackers to gain\r\ncomplete, real-time control of computers running Microsoft Windows.\r\n[4]\r\n Such a computer can be controlled or\r\ninspected by attackers, and the software even has the ability to turn on camera and audio-recording functions of\r\ninfected computers, enabling attackers to perform surveillance.[7]\r\nThe researchers from the IWM stated they could not conclude that the Chinese government was responsible for\r\nthe spy network.[14] However, a report from researchers at the University of Cambridge says they believe that the\r\nChinese government is behind the intrusions they analyzed at the Office of the Dalai Lama.[15]\r\nResearchers have also noted the possibility that GhostNet was an operation run by private citizens in China for\r\nprofit or for patriotic reasons, or created by intelligence agencies from other countries such as Russia or the United\r\nStates.[7] The Chinese government has stated that China \"strictly forbids any cyber crime.\"[1][10]\r\nThe \"Ghostnet Report\" documents several unrelated infections at Tibetan-related organizations in addition to the\r\nGhostnet infections. By using the email addresses provided by the IWM report, Scott J. Henderson had managed\r\nto trace one of the operators of one of the infections (non-Ghostnet) to Chengdu. He identifies the hacker as a 27-\r\nyear-old man who had attended the University of Electronic Science and Technology of China, and currently\r\nconnected with the Chinese hacker underground.\r\n[16]\r\nDespite the lack of evidence to pinpoint the Chinese government as responsible for intrusions against Tibetan-related targets, researchers at Cambridge have found actions taken by Chinese government officials that\r\ncorresponded with the information obtained via computer intrusions. One such incident involved a diplomat who\r\nwas pressured by Beijing after receiving an email invitation to a visit with the Dalai Lama from his\r\nrepresentatives.[15]\r\nAnother incident involved a Tibetan woman who was interrogated by Chinese intelligence officers and was shown\r\ntranscripts of her online conversations.[14][17] However, there are other possible explanations for this event.\r\nDrelwa uses QQ and other instant messengers to communicate with Chinese Internet users. In 2008, IWM found\r\nthat TOM-Skype, the Chinese version of Skype, was logging and storing text messages exchanged between users.\r\nIt is possible that the Chinese authorities acquired the chat transcripts through these means.[18]\r\nIWM researchers have also found that when detected, GhostNet is consistently controlled from IP addresses\r\nlocated on the island of Hainan, China, and have pointed out that Hainan is home to the Lingshui signals\r\nintelligence facility and the Third Technical Department of the People's Liberation Army.\r\n[4]\r\n Furthermore, one of\r\nGhostNet's four control servers has been revealed to be a government server.\r\n[clarify][19]\r\nAdvanced persistent threat\r\nChinese intelligence activity abroad\r\nChinese cyberwarfare\r\nhttps://en.wikipedia.org/wiki/GhostNet\r\nPage 2 of 4\n\nChinese espionage in the United States\r\nCyber-warfare\r\nEconomic and industrial espionage\r\nHonker Union\r\nInternet censorship in China\r\nOperation Aurora\r\nRedHack (from Turkey)\r\nTitan Rain\r\nShadow Network\r\n14th Dalai Lama\r\n1. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \"Major cyber spy network uncovered\". BBC News. March 29, 2009. Archived from the\r\noriginal on March 30, 2009. Retrieved March 29, 2009.\r\n2. ^ Glaister, Dan (March 30, 2009). \"China Accused of Global Cyberspying\". The Guardian Weekly.\r\nVol. 180, no. 16. London. p. 5. Archived from the original on June 6, 2024. Retrieved April 7, 2009.\r\n3. ^ Sean Bodmer; Dr. Max Kilger; Gregory Carpenter; Jade Jones (2012). Reverse Deception: Organized\r\nCyber Threat Counter-Exploitation. McGraw-Hill Osborne Media. ISBN 978-0071772495.\r\n4. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Harvey, Mike (March 29, 2009). \"Chinese hackers 'using ghost network to control\r\nembassy computers'\". The Times. London. Archived from the original on March 30, 2009. Retrieved March\r\n29, 2009.\r\n5. ^ \"Tracking GhostNet: Investigating a Cyber Espionage Network\". Archived from the original on July 3,\r\n2017. Retrieved September 9, 2017.\r\n6. ^ \"China denies spying allegations\". BBC News. March 30, 2009. Archived from the original on March 31,\r\n2009. Retrieved March 31, 2009.\r\n7. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Markoff, John (March 28, 2009). \"Vast Spy System Loots Computers in 103\r\nCountries\". New York Times. Archived from the original on April 1, 2009. Retrieved March 29, 2009.\r\n8. ^ Shishir Nagaraja, Ross Anderson (March 2009). \"The snooping dragon: social-malware surveillance of\r\nthe Tibetan movement\" (PDF). University of Cambridge. p. 2. Archived (PDF) from the original on April\r\n20, 2009. Retrieved March 31, 2009.\r\n9. ^ \"Researchers: Cyber spies break into govt computers\". Associated Press. March 29, 2009. Archived from\r\nthe original on March 31, 2009. Retrieved March 29, 2009.\r\n10. ^ Jump up to: a\r\n \r\nb\r\n China-based spies target Thailand. Bangkok Post, March 30, 2009. Retrieved on March\r\n30, 2009.\r\n11. ^ Jump up to: a\r\n \r\nb\r\n \"Canadians find vast computer spy network: report\". Reuters. March 28, 2009. Archived\r\nfrom the original on March 29, 2009. Retrieved March 29, 2009.\r\n12. ^ \"Spying operation by China infiltrated computers: Report\". The Hindu. March 29, 2009. Archived from\r\nthe original on April 1, 2009. Retrieved March 29, 2009.\r\n13. ^ \"Foreign hackers attack Canadian government\". CBC News. February 17, 2011. Archived from the\r\noriginal on February 18, 2011. Retrieved February 17, 2011.\r\n14. ^ Jump up to: a\r\n \r\nb\r\n Tracking GhostNet: Investigating a Cyber Espionage Network Archived April 8, 2009, at\r\nthe Wayback Machine. Munk Centre for International Studies. March 29, 2009\r\nhttps://en.wikipedia.org/wiki/GhostNet\r\nPage 3 of 4\n\n15. ^ Jump up to: a\r\n \r\nb\r\n Nagaraja, Shishir; Anderson, Ross (March 2009). \"The snooping dragon: social-malware\r\nsurveillance of the Tibetan movement\" (PDF). Computer Laboratory, University of Cambridge. Archived\r\n(PDF) from the original on April 20, 2009. Retrieved March 29, 2009.\r\n16. ^ Henderson, Scott (April 2, 2009). \"Hunting the GhostNet Hacker\". The Dark Visitor. Archived from the\r\noriginal on April 6, 2009. Retrieved April 2, 2009.\r\n17. ^ U of T team tracks China-based cyber spies Toronto Star March 29, 2009 Archived March 31, 2009, at\r\nthe Wayback Machine\r\n18. ^ \"BREACHING TRUST: An analysis of surveillance and security practices on China's TOM-Skype\r\nplatform\" (PDF). Archived (PDF) from the original on March 24, 2012. Retrieved June 24, 2009.\r\n19. ^ Meet the Canadians who busted Ghostnet Archived December 9, 2011, at the Wayback Machine The\r\nGlobe and MailMarch 29, 2009\r\nThe SecDev Group\r\nCitizen Lab at the University of Toronto\r\nTracking GhostNet: Investigating a Cyber Espionage Network (Infowar Monitor Report (SecDev and\r\nCitizen Lab), March 29, 2009)\r\nF-Secure Mirror of the report PDF\r\nInformation Warfare Monitor - Tracking Cyberpower (University of Toronto, Canada/Munk Centre)\r\nTwitter: InfowarMonitor\r\nKelly, Cathal (March 31, 2009). \"Cyberspies' code a click away - Simple Google search quickly finds link\r\nto software for Ghost Rat program used to target governments\". Toronto Star (Canada). Toronto, Ontario,\r\nCanada. Retrieved April 4, 2009.\r\nLee, Peter (April 8, 2009). \"Cyber-skirmish at the top of the world\". Asia Times Online. Archived from the\r\noriginal on April 10, 2009. Retrieved April 9, 2009.\r\nBodmer, Kilger, Carpenter, \u0026 Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. ISBN 0071772499, ISBN 978-0071772495\r\nSource: https://en.wikipedia.org/wiki/GhostNet\r\nhttps://en.wikipedia.org/wiki/GhostNet\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://en.wikipedia.org/wiki/GhostNet" ], "report_names": [ "GhostNet" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "c398d083-1e86-4cee-8937-eb057f0e6fdc", "created_at": "2022-10-25T16:07:24.172423Z", "updated_at": "2026-04-10T02:00:04.888972Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "ETDA:Shadow Network", "tools": [ "ShadowNet" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "172e5e21-e954-4322-9317-41f2cbaed7f1", "created_at": "2023-01-06T13:46:38.992713Z", "updated_at": "2026-04-10T02:00:03.174179Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "MISPGALAXY:Shadow Network", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434920, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d99f6199d12a5f7025bdfec727ac48f29875a22.pdf", "text": "https://archive.orkl.eu/0d99f6199d12a5f7025bdfec727ac48f29875a22.txt", "img": "https://archive.orkl.eu/0d99f6199d12a5f7025bdfec727ac48f29875a22.jpg" } }