A recent malware campaign highlights a shift toward multi-payload attack strategies, combining adware with a powerful remote access trojan such as Gh0st RAT. This approach enables attackers to achieve both short-term monetization and long-term system compromise while reducing detection risk.
The campaign leverages obfuscated loaders, covert persistence mechanisms, and advanced evasion techniques, including DNS manipulation, registry abuse, and misuse of legitimate system utilities. These capabilities allow attackers to maintain control over compromised systems while performing credential theft, network discovery, and surveillance. The evolution toward bundled malware delivery underscores the need for behaviour-driven detection and proactive threat hunting.
The campaign uses an obfuscated loader to deliver two encrypted payloads: adware (CloverPlus) and the Gh0st RAT client DLL. The loader decrypts and executes the RAT via rundll32.exe from a randomly generated directory to evade signature-based detection.
Once executed, Gh0st RAT establishes persistence through registry run keys and Windows services, including misuse of the RemoteAccess service. It elevates privileges by enabling SeDebugPrivilege, allowing interaction with system-level processes.
The malware performs system and network reconnaissance by collecting user information, MAC addresses, and disk identifiers. It also incorporates anti-analysis techniques such as virtual machine detection, process termination, and artifact removal.
Network manipulation is a key capability, with the malware altering DNS behavior by spoofing responses, modifying the hosts file, and flushing DNS cache to block access to security-related domains. It retrieves command-and-control infrastructure using a dead drop resolver technique and supports delayed execution via ping-based sleep. Additional functionality includes remote command execution and targeted keylogging of Remote Desktop sessions, enabling credential theft and lateral movement. The details and technicalities of the attack campaign are discussed further,
The campaign is delivered through an obfuscated loader, typically distributed via bundled software downloads, malicious advertisements, or phishing attachments. The loader conceals multiple encrypted payloads, allowing it to bypass initial detection.
The Infection chain was identified as follows,
The malware demonstrates extensive capabilities focused on persistence, stealth, and control. Privilege escalation is achieved through SeDebugPrivilege, enabling deep system interaction and data extraction. Persistence mechanisms include registry modifications and service creation, ensuring continued execution across reboots.
The malware conducts detailed reconnaissance, collecting system and network identifiers to profile infected hosts. Anti-analysis features such as virtual environment detection and process termination reduce the likelihood of detection.
DNS manipulation plays a central role, with the malware intercepting and altering domain resolution to block access to security services and maintain control. The use of a dead drop resolver adds layer of obfuscation by retrieving command-and-control details from seemingly legitimate sources.
Keylogging capabilities, particularly targeting Remote Desktop sessions, enable attackers to capture credentials and facilitate lateral movement. Combined with delayed execution techniques, these capabilities ensure long-term persistence and operational stealth.
Ghost RAT has historically been associated with cyber espionage and cybercrime operations. This campaign demonstrates its continued evolution by integrating with modern, multi-payload delivery frameworks.
The inclusion of adware alongside a high-impact RAT reflects a hybrid monetization strategy in which attackers combine immediate financial gain with sustained access. This highlights how legacy malware families remain relevant by adapting to evolving threat landscapes.
The campaign appears to be opportunistic and widely distributed rather than targeted. It impacts a broad range of users and organizations globally through common infection vectors such as software downloads and online advertisements.
The use of public web services for command-and-control resolution enables flexible and geographically distributed operations, increasing the campaign’s reach and resilience.
This campaign demonstrates the increasing sophistication of malware delivery strategies, where multiple payloads are combined to maximize effectiveness while minimizing detection. The integration of stealth, persistence, and modular functionality allows attackers to maintain prolonged access within compromised environments.
Organizations must adopt layered security strategies that emphasize behavioural monitoring, proactive threat hunting, and continuous visibility to effectively defend against such evolving threats.
The impact of this campaign is significant, ranging from system compromise through Gh0st RAT to degraded user experience caused by adware. Attackers can steal credentials, maintain persistent access, exfiltrate sensitive data, and move laterally across networks.
DNS manipulation further increases risk by blocking access to security updates and protective services. If undetected, the campaign can lead to long-term unauthorized access, operational disruption, and data breaches.
