A new malware campaign is bundling a powerful remote access trojan (RAT) with intrusive adware, giving attackers both long-term control of infected systems and an immediate revenue stream from fraudulent advertising activity.
The loader hides two encrypted payloads in its resource section, one of which is detected as AdWare.Win32.CloverPlus.
Once executed, this adware installs advertising components, alters browser startup behavior and triggers pop-ups to monetize clicks and traffic on compromised machines.
At the same time, the loader prepares the second payload, a Gh0st RAT client DLL that provides full remote access to the victim system.
To avoid basic path-based detections, the loader checks whether its process is running from the %temp% directory and, if not, copies itself there before decrypting the Gh0st RAT DLL from the RSRC section.
The campaign, analyzed by the Splunk Threat Research Team (STRT), delivers Gh0st RAT alongside CloverPlus adware via an obfuscated loader that focuses on stealth, persistence, and defense evasion.
The decrypted DLL is written under a randomly named folder on the root of the C: drive and then executed using rundll32.exe, a common living-off-the-land technique that blends into normal Windows activity.
Ghost RAT: stealth, discovery and DNS abuse
Once active, this Gh0st RAT variant enables SeDebugPrivilege via access token manipulation (ATT&CK T1134), allowing it to interact with and read memory from other processes, a capability often abused to steal sensitive data.
It performs user and network discovery (T1033, T1018), including identifying the process handling DNS on port 53 using GetExtendedUdpTable(), which it can terminate and replace to hijack DNS traffic.
The malware also removes traces by deleting related files, aligning with indicator removal via file deletion (T1070.004).
For defense evasion, Gh0st RAT checks the VMware-related registry key HKEY_CLASSES_ROOTApplicationsVMwareHostOpen.exe to determine if it is running in a virtual machine.
If it detects a VM, it launches a “dead drop resolver” routine (T1102.001), contacting a seemingly legitimate Sina blog URL and parsing the HTML title tag to decode its command-and-control (C2) address, an approach that hides C2 infrastructure behind benign web content.
The malware also uses a ping-based sleep technique (T1678), calling ping.exe with the -n parameter to delay execution and evade sandboxes that monitor only short-lived activity.
Gh0st RAT further abuses DNS to block security resources using application-layer DNS communications (T1071.004).
It inspects requested domains for substrings related to antivirus vendors such as “Alyac,” “Ahnlab,” and “V3lite,” then selectively returns normal DNS responses or DNS errors, effectively preventing access to security tools and update servers while staying under the radar.
After modifying DNS behavior, it flushes the DNS cache with “cmd.exe /c ipconfig /flushdns” so that its spoofed responses immediately take effect.
System profiling, persistence and keylogging
Beyond network abuse, the RAT collects system network configuration details (T1016), including MAC addresses and physical disk serial numbers, by using Netbios() NCBASTAT calls and SMART_RCV_DRIVE_DATA IOCTL requests.
These hardware identifiers help attackers uniquely track infected hosts inside their C2 infrastructure and support long-term campaign management.
Persistence is achieved through multiple mechanisms. Gh0st RAT writes to standard Windows Run keys (T1547.001) to start automatically with the OS, and it abuses Windows Remote Access service configuration under SYSTEMCurrentControlSetServicesRemoteAccessRouterManagersIp to load its DLL with SYSTEM privileges (T1021, T1543.003).
It also registers a dedicated Windows service pointing to its malicious module, ensuring automatic execution at boot and blending its activity with legitimate service operations.
The RAT additionally targets Remote Desktop activity by monitoring mstsc.exe and capturing keystrokes via GetKeyState() and GetAsyncKeyState(), implementing an input capture/keylogging capability (T1056.001).
By focusing on active RDP sessions, attackers can harvest high-value credentials and sensitive data used for remote administration and lateral movement inside enterprise networks.
STRT maps these behaviors to MITRE ATT&CK and releases aligned analytic content so defenders can detect this dual-payload campaign using Splunk.
Available detections include analytics for rundll32.exe using non-standard file extensions, ping-based sleep batch commands, registry keys used for persistence, process execution from %temp%, and modifications to Windows RemoteAccess RouterManagersIp registry entries.
By correlating these signals, security teams can spot both the loader activity and the long-term Gh0st RAT presence.
By leveraging Splunk to analyze endpoint, process, registry and DNS telemetry continuously, defenders can move from reactive cleanup to proactive threat hunting against this campaign.
With multiple layers of behavior-based detections in place, organizations stand a better chance of disrupting both the Gh0st RAT backdoor and the CloverPlus adware monetization before attackers fully establish control.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
