{
	"id": "61be2866-9f2b-4f4d-8f5e-dc2337f2d0fd",
	"created_at": "2026-04-06T00:12:18.081986Z",
	"updated_at": "2026-04-10T03:20:23.503077Z",
	"deleted_at": null,
	"sha1_hash": "c77917fcbceaa77b60dd498165f13694aa361b54",
	"title": "Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1332090,
	"plain_text": "Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth\r\nBy Elizabeth Montalbano\r\nPublished: 2024-05-22 · Archived: 2026-04-05 17:39:11 UTC\r\nSource: Jack Maguire via Alamy Stock Photo\r\nA novel malware that targets vulnerable drivers to terminate and thus evade endpoint detection and response\r\n(EDR) solutions has come to light, for now used in service of an elaborate cryptomining campaign.\r\nResearchers at Elastic Security Labs identified what they are calling an \"intrusion set\" dubbed \"REF4578,\" that\r\nuses a multimodal malware called GhostEngine; it can disable EDR, they revealed in a blog post published today.\r\nThe attack also demonstrates capabilities to establish persistence as well as install a previously undocumented\r\nbackdoor in addition to executing a cryptominer.\r\n\"GhostEngine leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere\r\nwith the deployed and well-known coin miner,\" Elastic researchers Salim Bitam, Samir Bousseaden, Terrance\r\nDeJesus, and Andrew Pease wrote in the post. \"This campaign involved an uncommon amount of complexity to\r\nensure both the installation and persistence of the XMRig miner.\"\r\nMeanwhile, a team at Antiy Labs also observed the attacks, calling the payload \"Hidden Shovel\" and\r\ncharacterizing it as a \"mining Trojan\" that delivers a two-stage approach to disabling EDR and installing a\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth\r\nPage 1 of 3\n\nbackdoor, according to a blog post.\r\nUltimately, the goal of the campaign as described by both sets of researchers is to take out the security barriers\r\npresent in a corporate network and use it to mine cryptocurrency without administrators detecting the action. The\r\nlegitimate miner XMRig leveraged by attackers is used for mining Monero.\r\nNeither security team outlined which organizations or individuals are the targets of the campaign, nor did they\r\nidentify which threat actor might be behind it.\r\nThe GhostEngine Attack Vector\r\nAs described by Elastic, REF4578's initial intrusion occurs with the execution of a PE file named Tiworker.exe\r\nthat impersonates the legitimate Windows TiWorker.exe file.\r\n\"This file downloads and executes a PowerShell script that orchestrates the entire execution flow of the intrusion,\"\r\nthe researchers wrote. This process downloads attacker tools, GhostEngine malware modules, and configurations\r\nfrom the attacker's command-and-control (C2) server.\r\nGhostEngine then proceeds to download and execute its various attack modules on the machine. Its tasks also\r\ninclude purging the system of remnants of prior infections belonging to the same family of malware but from\r\ndifferent campaigns, as well as attempting to disable Windows Defender and clean various Windows event log\r\nchannels.\r\nThe malware also has a persistence mechanism and a process for downloading its modules on the infected system.\r\nThese modules \"can tamper with security tools, create a backdoor, and check for software updates,\" the Elastic\r\nresearchers wrote.\r\nMost interestingly, the modules include an EDR agent controller and miner module that primarily terminates any\r\nactive EDR agent processes before downloading and installing a cryptominer. It's written in C++, and has\r\nredundancy built into its operation, according to Elastic. It also includes a PowerShell script that functions like a\r\nbackdoor, enabling remote command execution on the system. Elastic researchers also extracted the configuration\r\nfile from the XMRig miner used in the campaign, \"which was tremendously valuable, as it allowed us to report on\r\nthe Monero Payment ID and track the worker and pool statistics, mined cryptocurrency, transaction IDs, and\r\nwithdrawals,\" they wrote.\r\nDetecting GhostEngine\r\nAs attackers have been known to mount attacks that evade EDR solutions before, it's important for defenders to\r\nidentify how to detect when these barriers have been breached.\r\nIn terms of the GhostEngine malware, its first objective is to incapacitate endpoint security solutions and disable\r\nspecific Windows event logs — such as security and system logs, which record process creation and service\r\nregistration.\r\nAs such, the researchers recommended that organizations prioritize the detection and prevention of these initial\r\nactions to detect its presence on a network, including: suspicious PowerShell execution; execution from unusual\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth\r\nPage 2 of 3\n\ndirectories; elevating privileges to system integrity; and deploying vulnerable drivers and establishing associated\r\nkernel mode services.\r\n\"Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must\r\nfind compromised endpoints that stop transmitting logs to their SIEM,\" the Elastic researchers wrote.\r\nFurther, network traffic may generate and be identifiable if DNS record lookups point to known mining pool\r\ndomains over well-known ports such as HTTP (80) and HTTPS (443), the researchers noted. Meanwhile, Stratum\r\nis also another popular network protocol for miners, by default, over port 4444, they said.\r\nDetection rules and behavior prevention events associated with the campaign include the following: suspicious\r\nPowerShell downloads; service control spawned via Script Interpreter; local scheduled task creation; process\r\nexecution from an unusual director; unusual parent-child relationship; clearing Windows event logs; and\r\ntampering with Microsoft Windows Defender, among others.\r\nAbout the Author\r\nContributing Writer\r\nElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of\r\nprofessional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously\r\nlived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a\r\nvillage on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling,\r\nplaying music, yoga, and cooking.\r\nSource: https://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.darkreading.com/cyberattacks-data-breaches/novel-edr-killing-ghostengine-malware-stealth"
	],
	"report_names": [
		"novel-edr-killing-ghostengine-malware-stealth"
	],
	"threat_actors": [],
	"ts_created_at": 1775434338,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c77917fcbceaa77b60dd498165f13694aa361b54.pdf",
		"text": "https://archive.orkl.eu/c77917fcbceaa77b60dd498165f13694aa361b54.txt",
		"img": "https://archive.orkl.eu/c77917fcbceaa77b60dd498165f13694aa361b54.jpg"
	}
}