{
	"id": "34f768b2-d5fb-4869-8997-e3955d75f14e",
	"created_at": "2026-04-06T00:17:32.231699Z",
	"updated_at": "2026-04-10T03:22:01.981356Z",
	"deleted_at": null,
	"sha1_hash": "3a0edf0ff1855d507297a7687ebf6d7801fa4ee0",
	"title": "RAT used by Chinese cyberspies infiltrating Indian businesses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1334813,
	"plain_text": "RAT used by Chinese cyberspies infiltrating Indian businesses\r\nBy Pavankumar Chaudhari\r\nPublished: 2020-12-18 · Archived: 2026-04-05 21:05:42 UTC\r\nA few months back, Delphibased malware was being distributed on multiple systems via SMB exploit. The\r\npayloads used by this malware have close similarities with open-source Gh0stRAT code. Gh0st has been used by\r\nChinese threat actors to target multiple agencies in Asia — Gh0st is a Remote Access Trojan having multiple\r\ncapabilities like keylogging, microphone surveillance, download and execution of payloads from remote servers,\r\nrestarting computers, taking the remote shell of systems, et al.\r\nWe have observed this malware targeting important institutions in India such as –\r\nBanks\r\nRailways\r\nMilk Distributors\r\nHospitals and Pharmaceuticals\r\nAgro Industries\r\nFood Production Industries\r\nAfter analysis, it was found that this malware is creating two different payloads app.exe and mfc.exe. After\r\nexecution, both executables extract dlls in ststem32 folder of Windows directory and register them as service for\r\npersistence. Major code of all exacted payloads shares similarities with the open-source code of Ghost RAT.\r\nTechnical Analysis\r\nPayload 1 – app.exe\r\nThis executable had an embedded DLL file stored in reverse order as shown in the below figure.\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 1 of 11\n\nFigure 1: Embedded DLL in app.exe\r\nThis embedded binary is decrypted and written to  %SYSTEMROOT%\\System32\\ folder. The below code shows\r\nthe decryption code — DLL name is generated from the return value of GetTickCount() API.\r\nFigure 2: Decryption loop.\r\nApp.exe then registers this DLL as service by calling Install exported function. Below are details of service:\r\nServiceName: csrss\r\nDisplayName: Security Manager Accounts\r\nDesiredAccess: SERVICE_ALL_ACCESS\r\nServiceType: SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS\r\nStartType: SERVICE_AUTO_START\r\nErrorControl: SERVICE_ERROR_IGNORE\r\nBinaryPathName: %SystemRoot%\\System32\\svchost.exe -k “csrss”\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 2 of 11\n\nThe exported function of DLL are as below:\r\nDllUpdate\r\nInstall\r\nMainThread\r\nServiceMain\r\nUninstall\r\nC2 Functions\r\nThere are multiple C2 commands observed in the code of Gh0stRat. Some C2 functions observed by static\r\nanalysis of DLL are as below:\r\nShutdown System\r\nOpen URL\r\nDownload and Execute File\r\nFind Process\r\nClean Event Logs\r\nShutdown System\r\nThis function takes shutdown debug privileges and calls the ExitWindowsEx() function to shut down systems.\r\nFigure 3: Shutdown System\r\nDownload and Execute File\r\nThis function will download a specific file from the server and execute it.\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 3 of 11\n\nFigure 4: Download and execute file\r\nFind Process\r\nThis function searches for a specific process by calling process enumeration APIs.\r\nFigure 5: Find process in an existing running process\r\nOpen URL\r\nThis function creates an iexplore.exe process with a specified URL.\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 4 of 11\n\nFigure 6: Open URL\r\nClean Event Logs\r\nThis function clears all event logs of Application, Security, and System\r\nFigure 7: Clear event logs\r\nPayload 2 – mfc.exe\r\nThe second executable dropped by the main payload is mfc.exe having embedded executable in resource under the\r\nname “BIN”.\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 5 of 11\n\nFigure 8: Embedded DLL in the resource.\r\nWhen this payload is run it drops dll (random name) from the above resource into the system32 folder and\r\ninstalled as a service with the name “NetworkServices” on an infected system. After creating DLL into the\r\nsystem32 folder, mfc.exe calls the Install()  function of dll.\r\nThis DLL has four exported functions as below:\r\nInstall\r\nLaunch\r\nServiceMain\r\nUnInstall\r\nBelow are C2 Commands observed in this sample:\r\nInstall Keyboard Hook\r\nProcess Enumeration\r\nRemote Shell\r\nAudio Capture\r\nDownload and Execute File\r\nInstall Keyboard Hook\r\nBelow figure, XX shows that a thread is created to install a keyboard hook. All keylogging data is written to a file\r\nnamed “syslog.dat”.\r\nFigure XX shows a similar keylogger code of Gh0st RAT.\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 6 of 11\n\nFigure 9: Install keyboard hook                                                                                                         \r\n                                                                                      \r\nFigure 10: Keylogger function from open-source Gh0st RAT code.\r\nProcess Enumeration\r\nProcess enumeration involves getting the list of running processes to enumerate modules.\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 7 of 11\n\nFigure 11: Process listing function\r\nRemote Shell\r\nThis function will create a remote shell to accept and execute any command.\r\nFigure 12: Function to get a remote shell                                                                                       \r\nAudio Capture\r\nThis function records audio with the help of functions like waveInOpen(), waveInStart(), waveInStop() etc.\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 8 of 11\n\nFigure 13: Function for audio recording\r\nDownload and Execute File\r\nFunction to download the executable file from a remote server and execute it.\r\nFigure 14: Download and execute the payload\r\nIOCs\r\nFF6511DE176A434FA2F7C939795A13CC\r\nA6CC92A1993F040E87090F8B89836332\r\n550C055339A9FEC141997CDA3F32FD0A\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 9 of 11\n\nA2B75BD7254997BEC6A19D752E26FA50\r\n4B8C6D70A186FEC7C79D5B52B2FF0E76\r\nE22E5A85ED5294B179EBD416EEB5BEBB\r\n5CE36CBD7D4A58A1B1A8C5B7BE194F23\r\nE94F9AF9EA11301831AAA1BDE34D3DEB\r\n23D4EC869960CE02865C98F64581136A\r\n367150E5DA2ED1BFAAE9210105BCEEA1\r\nBFB095C595FAA47CBFD4AB6199A7E297\r\nCA07E26D95D927953197840EA93EDD03\r\n6B8A19DF9827CFB95F6461FEF9929F83\r\n7DC43FCA774E612BF611ACD882400308\r\n1127149CB5378FCA7181F81EB8149FC9\r\nF1E921F5730919E946D9A64019867E13\r\nB80A559CD7D48C9D3115A013EA662263\r\n9403464BB99D87A02667E3E5DBA4A57C\r\nAlerts\r\nConclusion\r\nThese samples are modified variants of Gh0st RAT and actors are constantly updating them to evade AV\r\ndetections. Samples and TTPs that are seen in victim organizations are mostly associated with China-based APT\r\ngroups. We have been following these samples for the last 1 month but were unable to identify the initial attack\r\nvector. As they are targeted towards specific industries, we suspect to find more malware associated with these\r\nattack chains. Interestingly few of the victims were also infected with Monero miners during the same period. We\r\nwould be closely monitoring the campaign to hunt for the entire infection chain.\r\nSubject matter experts\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 10 of 11\n\nPavankumar Chaudhari\r\nKalpesh Mantri\r\nSource: https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nhttps://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/"
	],
	"report_names": [
		"rat-used-by-chinese-cyberspies-infiltrating-indian-businesses"
	],
	"threat_actors": [],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a0edf0ff1855d507297a7687ebf6d7801fa4ee0.pdf",
		"text": "https://archive.orkl.eu/3a0edf0ff1855d507297a7687ebf6d7801fa4ee0.txt",
		"img": "https://archive.orkl.eu/3a0edf0ff1855d507297a7687ebf6d7801fa4ee0.jpg"
	}
}