{
	"id": "5ca7f2d0-784c-4316-8738-8aaee7ea936f",
	"created_at": "2026-04-06T00:07:10.875605Z",
	"updated_at": "2026-04-10T03:21:40.987241Z",
	"deleted_at": null,
	"sha1_hash": "55c698b83736e5e48664d93889de6cb45904efea",
	"title": "New GhostAdmin Malware Used for Data Theft and Exfiltration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1806162,
	"plain_text": "New GhostAdmin Malware Used for Data Theft and Exfiltration\r\nBy Catalin Cimpanu\r\nPublished: 2017-01-17 · Archived: 2026-04-05 19:24:57 UTC\r\nSecurity researcher MalwareHunterTeam discovered today a new malware family that can infect computers and allow\r\ncrooks to take control of these PCs using commands sent via an IRC channel.\r\nNamed GhostAdmin, this threat is part of the \"botnet malware\" category. According to current information, the malware is\r\nalready distributed and deployed in live attacks, being used to possibly target at least two companies and steal hundreds of\r\nGBs of information.\r\nCrooks control GhostAdmin victims via IRC commands\r\nAccording to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems\r\nto be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.\r\nhttps://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nUnder the hood, GhostAdmin is written in C# and is already at version 2.0. The malware works by infecting computers,\r\ngaining boot persistence, and establishing a communications channel with its command and control (C\u0026C) server, which is\r\nan IRC channel.\r\nGhostAdmin's authors access to this IRC channel and issue commands that will be picked up by all connected bots (infected\r\ncomputers).\r\nThe malware can interact with the victim's filesystem, browse to specific URLs, download and execute new files, take\r\nscreenshots, record audio, enable remote desktop connections, exfiltrate data, delete log files, interact with local databases,\r\nwipe browsing history and more. A full list of available commands is available via the image below:\r\nGhostAdmin IRC commands\r\nThe malware's features revolve around the ability to collect data from infected computers and silently send it to a remote\r\nserver.\r\nGhostAdmin operates based on a configuration file. Among the settings stored in this file, there are FTP and email\r\ncredentials.\r\nThe FTP credentials are for the server where all the stolen information is uploaded, such as screenshots, audio recordings,\r\nkeystrokes and more.\r\nOn the other hand, the email credentials are used to send an email to the GhostAdmin author every time a victim executes\r\nhis malware, and also send error reports.\r\nhttps://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nPage 3 of 7\n\nGhostAdmin source code: Function to send an email when infecting new host\r\nGhostAdmin source code: Function to send an email when malware execution generates an error\r\nMalwareHunterTeam says that the GhostAdmin version he analyzed was compiled by a user that used the nickname \"Jarad.\"\r\nLike almost all malware authors before him, Jarad managed to infect his own computer. Using the FTP credentials found in\r\nthe malware's configuration file, MalwareHunterTeam found screenshots of GhostAdmin creator's desktop on the FTP\r\nserver.\r\nhttps://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nPage 4 of 7\n\nDesktop of GhostAdmin author\r\nFurthermore, the researcher also found on the same server files that appeared to be stolen from GhostAdmin victims. The\r\npossible victims include a lottery company and an Internet cafe. Just from the Internet cafe, the crook has apparently\r\ncollected 368GB of data alone.\r\n368GB file downloaded from GhostAdmin FTP server\r\nFrom the lottery company, the GhostAdmin botmaster appears to have stolen a database holding information such as names,\r\ndates of births, phone numbers, emails, addresses, employer information, and more.\r\nhttps://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nPage 5 of 7\n\nDatabase found on the GhostAdmin FTP server\r\nAt the time of writing, according to MalwareHunterTeam, the botnet's IRC channel includes only around ten bots, an\r\napproximate victims headcount.\r\nCompared to other botnet malware families such as Necurs or Andromeda, which have millions of bots, GhostAdmin is just\r\nmaking its first victims. Despite the currently low numbers, GhostAdmin can grow to those figures as well, if its author ever\r\nwanted to run a spam botnet like Necurs and Andromeda. In its current form, GhostAdmin and its botmaster seem to be\r\nfocused on data theft and exfiltration.\r\nAt the time of writing, GhostAdmin detection rate on VirusTotal was only 6 out of 55 (sample here).\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nPage 6 of 7\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nhttps://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"
	],
	"report_names": [
		"new-ghostadmin-malware-used-for-data-theft-and-exfiltration"
	],
	"threat_actors": [],
	"ts_created_at": 1775434030,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55c698b83736e5e48664d93889de6cb45904efea.pdf",
		"text": "https://archive.orkl.eu/55c698b83736e5e48664d93889de6cb45904efea.txt",
		"img": "https://archive.orkl.eu/55c698b83736e5e48664d93889de6cb45904efea.jpg"
	}
}