A newly identified malware campaign is raising serious concerns across the cybersecurity community by delivering two very different threats at the same time.
Attackers are now using a single, obfuscated loader to push both Gh0st Remote Access Trojan (RAT) and CloverPlus adware onto the same victim machine, giving them both long-term system control and an immediate way to profit from the attack.
This pairing is unusual but strategic. Gh0st RAT is a well-known tool that gives attackers full control over a compromised system, while CloverPlus adware is designed to change browser behavior, install unwanted advertising components, and generate pop-up ads for financial gain.
Together, the two threats allow the attacker to maintain a backdoor for ongoing access while also monetizing the infected machine in real time.
The campaign represents a clear shift toward multi-payload delivery strategies that maximize the return from a single infection.
Researchers at the Splunk Threat Research Team (STRT) identified this specific loader after observing its behavior across compromised hosts.
The team noted that the loader uses obfuscation techniques to hide both encrypted payloads inside its resource section, making it harder for traditional security tools to detect.
The research team mapped the malware’s full behavior against the MITRE ATT&CK framework to document every tactic and technique used during execution.
The campaign’s reach and design show that threat actors are becoming more efficient in how they deploy malware. Rather than targeting victims with a single-purpose tool, this loader delivers a package that covers both data theft and ad fraud simultaneously.
Security teams around the world are being urged to review their endpoint monitoring capabilities and update detection rules to account for this kind of bundled attack.
The impact of this campaign is significant for both individuals and organizations. The adware component can disrupt browser functionality and expose users to malicious advertisements, while the RAT payload can steal sensitive data, capture keystrokes, block access to security websites, and give attackers persistent, privileged access to the infected system.
Inside the Loader: How Both Payloads Are Dropped and Executed
The loader at the center of this campaign is built to be stealthy from the very beginning. It hides two encrypted payloads inside its resource section, and the first to be released is the CloverPlus adware module, identified as AdWare.Win32.CloverPlus.
This component is tied to an executable named wiseman.exe, as shown in Figure 01: The Adware Payload, and is responsible for modifying browser startup pages and injecting pop-up advertisements.
Once the adware is handled, the loader checks whether its own file path is located inside the system’s %temp% folder.
If it is not, it drops a copy of itself there before moving to the next step: decrypting the Gh0st RAT client module, which is stored as an encrypted resource in the RSRC section of the malware binary.
After decryption, the malware generates a random file name and saves the decoded DLL to a randomly named folder at the root of the C: drive.
.webp)
The decrypted DLL is then launched using the legitimate Windows application rundll32.exe, as shown in Figure 03: Rundll32 Execution. This technique allows the malware to execute code under a trusted system process, reducing the chance of triggering standard security alerts.
Once active, Gh0st RAT begins gathering system information, including the machine’s MAC address and hardware drive serial number, to uniquely identify the infected host within the attacker’s command-and-control (C2) infrastructure.
To stay on the system after a reboot, Gh0st RAT uses multiple persistence methods. It writes itself to the Windows Run registry key and also registers a malicious DLL as part of the Windows Remote Access service under SYSTEMCurrentControlSetServicesRemoteAccessRouterManagersIp.
.webp)
This gives it SYSTEM-level privileges every time the service starts, without requiring any action from the user.
Security teams should monitor for rundll32.exe loading non-standard file extensions from unusual directories. Endpoint tools should flag any process execution originating from the %temp% folder.
Registry modifications to Run keys and RemoteAccess service paths should trigger immediate alerts. Organizations should also watch for ping-based execution delays, which this malware uses to evade sandbox analysis.
DNS traffic anomalies and unexpected changes to the system hosts file can also indicate an active Gh0st RAT infection. Keeping endpoint detection rules updated and aligned with MITRE ATT&CK techniques T1134, T1033, T1070.004, T1547.001, T1021, T1543.003, T1056.001, and T1071.004 is strongly advised.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
