Ghost RAT
Gh0st RAT is a remote access Trojan/backdoor dating to at least 2008 and described in the provided content as originally developed by the Chinese threat actor C. Rufus Security Team. It is historically associated with the GhostNet campaign targeting Dalai Lama Tibetan exile centers, and multiple references in the content link its use or source-code lineage to China-nexus intrusion activity.
In the supplied reporting, Huntress assessed x.exe as a variant of Gh0st RAT used in an intrusion chain that began with compromise of an exposed, unauthenticated phpMyAdmin instance. The attackers abused MariaDB general query logging for log poisoning to write a PHP web shell, operated it with AntSword, deployed the legitimate Nezha monitoring agent as a staging and control mechanism, used PowerShell to add a Microsoft Defender exclusion for C:\WINDOWS, and then dropped and executed the Gh0st RAT variant from C:\Windows\Cursors. Huntress reported the malware installed persistence via a service named SQLlite, dropped SQLlite.exe into C:\Windows\system32, and determined SQLlite.exe was a renamed rundll32.exe used to load 32138546.dll. The sample created a mutex named gd.bj2[.]xyz:53762:SQLlite and communicated with gd.bj2[.]xyz, which resolved to 45.207.220[.]12. Huntress also reported the variant used a domain generation algorithm for C2, a multi-stage loader, dynamic API resolution, and command blocks consistent with China-nexus APT activity.
The campaign in which this Gh0st RAT variant was deployed reportedly affected more than 100 systems, with many victims in Taiwan, Japan, South Korea, and Hong Kong; additional victims appeared in other countries as well. The content states Ghost RAT and AntSword have both been used previously in activity publicly attributed to Chinese APT groups, and Huntress noted protocol similarities between the observed variant and malware reported by Zscaler in June 2025 linked to a China-nexus APT targeting Tibetan communities. Separately, Palo Alto Networks Unit 42 reported that the Phantom Taurus actor deployed backdoors likely borrowing source code from Ghost RAT.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“...deploying backdoors that very likely borrowed source code from Ghost RAT, a Trojan developed by Chinese threat actor C. Rufus Security Team. Ghost RAT appears to date to 2008...”
“...deploying backdoors that very likely borrowed source code from Ghost RAT, a Trojan developed by Chinese threat actor C. Rufus Security Team. Ghost RAT appears to date to 2008...”
Huntress said Nezha was used in tandem with other families of malware and web shell management tools, such as Ghost RAT and AntSword. One of the first clues leading them to attribute the incident to Chinese actors was that, upon accessing the administrative interface of the compromised system, the hacker set the language to simplified Chinese. Minton added that even though Huntress stopped short of formally attributing the campaign to a specific Chinese threat actor, the use of Ghost RAT and AntSword was a clue because they both have been used before in activity publicly attributed to Chinese APT groups.
"...drop and run a Ghost RAT variant from 'C:\Windows\Cursors'. The RAT executable also installed a persistence mechanism and used a domain generation algorithm (DGA) for command & control (C2)."
"SilverFox activity: Antiy says the SilverFox (YouSnake) group infected over 17,000 users with the Ghost RAT..."
"SilverFox activity: Antiy says the SilverFox (YouSnake) group infected over 17,000 users with the Ghost RAT..."
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
All WinApi functions are resolved dynamically using GetProcAddress and are stored into a large function table which is trivially reassembled.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Huntress Uncovers Log Poisoning Campaign Linking Nezha and Ghost RAT in Widespread Asian Cyber Intrusions
Remote Access Trojan deployed via Nezha to provide persistent remote access and control over compromised systems.
Remote access trojan used for deeper persistence and post-compromise control; described as having a multi-stage loader, dynamic API resolution, DGA-based C2, and command blocks consistent with China-nexus APT activity.
Ghost RAT is a remote access trojan commonly used by Chinese APT groups for persistent access and espionage. It allows attackers to control infected systems remotely.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.