Chinese Hackers Launch Targeted Campaign to Infect Windows Systems with Ghost RAT and PhantomNet Malware

Zscaler ThreatLabz, in collaboration with TibCERT, has uncovered two linked attack campaigns dubbed Operation GhostChat and Operation PhantomPrayers, attributed with high confidence to a China-nexus advanced persistent threat (APT) group.

These operations targeted the Tibetan community by capitalizing on heightened online activity surrounding the Dalai Lama’s 90th birthday on July 6, 2025.

Exploiting Cultural Events for Cyber Espionage

The attackers compromised legitimate websites, such as tibetfund.org, replacing benign links with malicious redirects to subdomains under niccenter[.]net, which impersonated trusted platforms.

This social engineering lured victims into downloading trojanized software themed around Tibetan cultural events, initiating multi-stage infection chains that deployed either Ghost RAT or PhantomNet (also known as SManager) backdoors.

These malware variants, commonly associated with Chinese state-sponsored actors, enabled persistent access, data exfiltration, and command execution on compromised Windows systems.

The campaigns employed advanced evasion techniques, including DLL sideloading, shellcode injection, and encrypted payloads to bypass endpoint detection and response (EDR) solutions.

In Operation GhostChat, victims were redirected to a fake site mimicking the Element chat application, downloading a ZIP archive containing a legitimate but vulnerable Element.exe that sideloaded a malicious ffmpeg.dll.

This stage-1 loader resolved APIs dynamically using low-level Nt* and Rtl* functions, mapped a fresh ntdll.dll from disk to overwrite user-mode hooks, and injected 32-bit shellcode into ImagingDevices.exe via shared memory sections.

The stage-2 reflective loader decompressed and executed a Ghost RAT variant, which communicated with its C2 server at 104.234.15[.]90:19999 using a custom TCP binary protocol encrypted with an RC4-like algorithm.

Ghost RAT’s modular plugin, config.dll, supported commands for file manipulation, screen capture, keylogging, audio/video recording, and system shutdown, all derived from analysis of similar variants.

Advanced Malware Tactics

Operation PhantomPrayers mirrored this approach but distributed a PyQT5-based executable, DalaiLamaCheckin.exe, posing as a “special prayer check-in” tool.

This binary created a GUI with Folium-generated maps to feign legitimacy, while covertly copying a vulnerable VLC.exe and malicious libvlc.dll to %appdata%Birthday for sideloading.

Persistence was established via a Startup shortcut, and the stage-1 loader decrypted dual-layer encrypted shellcode (RC4 followed by AES-128 CBC) from a .tmp file, leading to a stage-2 reflective loader and the PhantomNet backdoor.

PhantomNet connected to 45.154.12[.]93:2233 over TCP with AES-encrypted traffic, utilizing plugin DLLs for modular functionality, including system information gathering and timed operations, as seen in prior campaigns like Operation SignSight.

Attribution to Chinese APT groups stems from victimology focused on the Tibetan diaspora, the exclusive use of Ghost RAT and PhantomNet tools linked to actors like TA428 and tailored tactics, techniques, and procedures (TTPs) such as code injection (T1055.002), native API abuse (T1106), and obfuscated payloads (T1027 variants).

According to the Report, Zscaler’s platform detects these threats as Win64.Trojan.PhantomNet and Win32.Backdoor.GhostRAT, aligning with MITRE ATT&CK IDs like T1574.001 for DLL hijacking and T1573.001 for encrypted channels.

This collaboration highlights the APT’s exploitation of cultural sensitivities for supply-chain compromises, underscoring the need for robust web security and malware analysis to counter such state-sponsored intrusions.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now