{ "id": "cb0595c8-5067-4eff-b6bd-00df545d3e5d", "created_at": "2026-04-06T00:10:25.260356Z", "updated_at": "2026-04-10T03:35:25.412045Z", "deleted_at": null, "sha1_hash": "baf1923e15963467f6727f89cd652129626e142c", "title": "Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 242582, "plain_text": "Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After\r\nRelease\r\nArchived: 2026-04-05 19:55:04 UTC\r\nFound in Environments Protected By: Proofpoint\r\nBy Nathaniel Raymond, Cofense Intelligence\r\nGh0st RAT, a decades-old open-source remote administration tool (RAT), recently appeared in phishing\r\ncampaigns targeting a healthcare organization. Gh0st Remote Administration Tool was created by a Chinese\r\nhacking group named C. Rufus Security Team that released it publicly in 2008. The public release of Gh0st RAT\r\nsource code made it easy for threat actors to obtain and tailor the tool to their needs. Its feature set expanded over\r\nthe years to include various surveillance, persistence, and information-stealing capabilities:\r\nTaking full control of the infected machine\r\nRecording keystrokes in real time with offline logging available\r\nAccessing live web cam feeds including microphone recording\r\nDownloading files remotely\r\nRemote shutdown and reboot\r\nDisabling user input\r\nOver Gh0st RAT’s long life, Chinese nation-state threat actors have used it to breach high-value targets such as\r\ngovernments, embassies, economic targets, and media. One such breach was the operation known as “GhostNet”\r\nin 2009, in which a large-scale cyber-attack used Gh0st RAT to conduct surveillance and espionage. The breach\r\nimpacted the Dalai Lama’s Tibetan exile centers in multiple countries.\r\nAlthough Gh0st RAT was first identified in reports of threat activity almost 15 years ago, it is still actively\r\ndistributed today. Cofense Intelligence identified an email targeting a European-owned medical technology\r\norganization located in China, attempting to deliver Gh0st RAT via an embedded link. The embedded link that\r\nhosted the malware was affiliated with Tencent and based in Hong Kong. The sample’s command and control (C2)\r\nserver is also located on the CHINANET Jiangsu province network in the city of Nanjing.\r\nhttps://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/\r\nPage 1 of 4\n\nFigure 1: A screenshot of the recent phishing email used to deliver Gh0st RAT via an embedded link.\r\nFigure 2: A translation of the body of the recent Gh0st RAT campaign shows that it used an unpaid invoice as a\r\ntheme.\r\nAlthough Ghost RAT has a history of use by nation-state threat actors, Cofense Intelligence does not have\r\nconclusive evidence that this recent campaign is associated with known nation-state activity. The activity we\r\nobserved activity shares certain characteristics with some advanced persistent threat (APT) groups, including\r\nAPT27, which is known for intellectual property theft against healthcare and technology companies, and is also\r\nknown for the use of Gh0st RAT. However, since Gh0st RAT’s source code is publicly available, it remains\r\nhttps://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/\r\nPage 2 of 4\n\nplausible that any threat actor could download and modify the code for their own needs. With Chinese universities\r\n(including more than one in Nanjing) being heavily involved in training talent for the Chinese defense industry, it\r\nis also plausible that students or other threat actors that are at times associated with APT groups may be carrying\r\nout independent threat activity using tools they are familiar with.\r\nFigure 3: Details of the recent Gh0st RAT sample’s C2 server on the network information service Shodan.\r\nIndicators of Compromise\r\nFiles\r\n1680478346389.zip\r\nMD5: 9e6c45b6b8b20bf3c5959dbba8f27117\r\nLiveUpdate360.dat\r\nMD5: f149d3f3ef0361ebe4d346811f29b527\r\nLiveUpdate.exe\r\nMD5: 96e4b47a136910d6f588b40d872e7f9d\r\nsetting.ini\r\nMD5: 91aab4bbe634be62d11d132738c23a82\r\nSqlVersion9.dll\r\nMD5: 317f9ff06c076e87e5b1d11242396d5f\r\nú¿╡τ-╫╙-╖ó-╞▒ú⌐.exe\r\nMD5: 4723a2a8f68c1eaf82809cff29b8e56f\r\nhttps://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/\r\nPage 3 of 4\n\nURLs\r\nhxxps://api[.]youkesdt[.]asia/admin/down/hash/79b7c6ed-c4d8-4b36-b1cd-f968e6570010\r\nhxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/SqlVersion9[.]dll\r\nhxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/Media[.]xml\r\nhxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/LiveUpdate360[.]dat\r\nhxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/LiveUpdate[.]exe\r\nhxxp://datacache[.]cloudservicesdevc[.]tk/picturess/2023/223[.]114[.]txt\r\nCommand and Control\r\nhxxp://61[.]160[.]223[.]114:18076\r\nAll third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise,\r\nremain the property of their respective holders, and use of these trademarks in no way indicates any relationship\r\nbetween Cofense and the holders of the trademarks. Any observations contained in this blog regarding\r\ncircumvention of end point protections are based on observations at a point in time based on a specific set of\r\nsystem configurations. Subsequent updates or different configurations may be effective at stopping these or similar\r\nthreats. Past performance is not indicative of future results.\r\nThe Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos\r\ndisplayed on this blog are registered trademarks or trademarks of Cofense Inc.\r\nSource: https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/\r\nhttps://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/" ], "report_names": [ "open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434225, "ts_updated_at": 1775792125, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/baf1923e15963467f6727f89cd652129626e142c.pdf", "text": "https://archive.orkl.eu/baf1923e15963467f6727f89cd652129626e142c.txt", "img": "https://archive.orkl.eu/baf1923e15963467f6727f89cd652129626e142c.jpg" } }