{ "Event": { "analysis": "1", "date": "2026-04-17", "extends_uuid": "", "info": "[Threat Intel] Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT", "protected": false, "publish_timestamp": "1776767273", "published": true, "threat_level_id": "3", "timestamp": "1776767273", "uuid": "da7e4473-9833-418a-87d5-27a3142e6abf", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#346a03", "local": false, "name": "misp-galaxy:producer=\"Splunk\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#177fb7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1218.011\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#110e53", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Ghost RAT\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776682829", "to_ids": false, "type": "link", "uuid": "44d3abc6-278d-4a57-941a-d434360eaad8", "value": "https://www.splunk.com/en_us/blog/security/detecting-ghost-rat-cloverplus-adware-loader-analysis.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776682829", "to_ids": false, "type": "text", "uuid": "2ccbd07a-3c2b-4186-90a0-8b264069e26a", "value": "A sophisticated malware campaign is distributing both Gh0st Remote Access Trojan and CloverPlus adware simultaneously through obfuscated loaders. The loader drops encrypted payloads from its resource section, with one being adware and another a Gh0st RAT DLL module executed via rundll32.exe. The RAT employs multiple persistence mechanisms including registry run keys, Windows services, and Remote Access service manipulation. It features capabilities for token manipulation, DNS hijacking, keylogging targeting RDP sessions, system reconnaissance, and dead drop resolver techniques for C2 communication. The malware specifically targets security tools by blocking antivirus domains through DNS spoofing and hosts file modification. This dual-payload approach provides attackers with long-term system access while generating immediate profit through adware monetization." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776682829", "to_ids": false, "type": "text", "uuid": "f056d259-0ef8-4bb5-8218-d1b28dff126f", "value": "Name: Not Just Annoying Ads: Adware Bundles Delivering Gh0st RAT\nAuthor: AlienVault\nAdversary: \nTags: [\"dns hijacking\", \"keylogging\", \"registry persistence\", \"remote access trojan\", \"adware bundle\", \"gh0st rat\", \"dead drop resolver\", \"cloverplus\"]\nTgtd countries: []\nMlwr families: [\"gh0st RAT - S0032\", \"Mydoor\", \"Moudoor\", \"CloverPlus\"]\nAttack_ids: [\"T1033\", \"T1218.011\", \"T1056.001\", \"T1071.004\", \"T1543.003\", \"T1082\", \"T1140\", \"T1036\", \"T1021\", \"T1112\", \"T1016\", \"T1547.001\", \"T1027\", \"T1012\", \"T1059.003\", \"T1070.004\", \"T1134\", \"T1018\", \"T1102.001\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776682829", "to_ids": false, "type": "vulnerability", "uuid": "2b82f478-2222-4c3a-8d65-f577d7b55a59", "value": "CVE-2023-27350" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776736154", "uuid": "358bb8bd-217b-426d-95f3-fbbe90df0aa7", "Attribute": [ { "category": "Payload delivery", "comment": "Adware CloverPlus", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776736154", "to_ids": true, "type": "md5", "uuid": "460b2b45-3a52-472b-9907-1b9a23a6a01d", "value": "a70af400ba66597c11ef1e15aba5c6c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Adware CloverPlus", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776735726", "to_ids": true, "type": "sha1", "uuid": "e0621a7c-653d-40d0-980b-d0a20702088c", "value": "8f7ea0fc8f16028937855554d0ac5fa2113f85a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Adware CloverPlus", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776735726", "to_ids": true, "type": "sha256", "uuid": "1b901c9c-a197-4258-8e15-6a789c6b6fc2", "value": "ebba8f4342b65faccdd2a48be9f2654d3fa523360f17ff68d5498a453f76c205", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776733543", "to_ids": true, "type": "ssdeep", "uuid": "b832596b-6eee-465f-88ab-634aa2f87341", "value": "6144:yraxNx1Gc9N6xJ/MO2N89M4qjGggUA0CthK1KLAb+AfQQIh+K+TuAubWq49OU/Cv:ygVhNrAM1qgg22" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776733543", "to_ids": false, "type": "size-in-bytes", "uuid": "375198c2-f83d-417b-b523-89304503afa1", "value": "421940" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776733543", "to_ids": true, "type": "vhash", "uuid": "714245fd-6e20-4a76-b2b2-8934344b3adc", "value": "045046655d15509013z3002933013z50a5z32z221z71z5514z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776733543", "to_ids": true, "type": "filename", "uuid": "86e199a4-45d5-4dff-8bcd-698e29f83ffc", "value": "wiseman.EXE" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 13/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776733543", "to_ids": false, "type": "text", "uuid": "956ad5cf-d2df-45ca-8d9a-1dc78aed5523", "value": "Adware CloverPlus\r\nType Description: Win32 EXE\nMicrosoft: PUA:Win32/Creprote\nVT Total Detection:53/72\nFirst Submission:2026-03-05T12:58:24.000000+00:00\nLast Submission:2026-03-05T12:58:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776736175", "uuid": "8e7399ed-747c-49f3-8aab-ab6e0c763b5d", "Attribute": [ { "category": "Payload delivery", "comment": "Gh0st RAT Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776736175", "to_ids": true, "type": "md5", "uuid": "dfe19843-22bb-40b3-93e5-aa9dcc32303b", "value": "04c3c443f6ad7582b6e61d0480594d83", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Gh0st RAT Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776735727", "to_ids": true, "type": "sha1", "uuid": "2a9b3463-bcad-4643-b2d5-f8044cdad9c7", "value": "293db0268a5bb138c7d4119d569cd6c6791f94c4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Gh0st RAT Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776735727", "to_ids": true, "type": "sha256", "uuid": "950c743c-efdc-47c7-8f05-a766e9080d29", "value": "fda9864b1aa230b60d0c736559415ac9c79e240cce411daed5da2facb9ced87c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776733565", "to_ids": true, "type": "ssdeep", "uuid": "337be82a-cc8c-4ce5-8200-457e52896c5e", "value": "6144:PQJf3uMxrbLgEN6S7KzA5x3S5+y3D82oC0UdkgxgfOq:4J130ENL7kArI+y3XipfO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776733565", "to_ids": false, "type": "size-in-bytes", "uuid": "d012ea7d-de81-44b6-8299-4c8d54eb8653", "value": "654619" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776733565", "to_ids": true, "type": "vhash", "uuid": "c68fe494-9bce-465e-8ba0-39a0ede8968a", "value": "06507d1d1d1d1d5d0617z11z301hz11z15z17z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776733565", "to_ids": true, "type": "filename", "uuid": "1384effb-d098-449e-bfdc-a7d6c0bc824e", "value": "wininet.dll" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776733565", "to_ids": false, "type": "text", "uuid": "d72c565b-6df6-4772-adc9-ff39e9d73617", "value": "Gh0st RAT Loader\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/GhostRat.LBK!MTB\nVT Total Detection:60/72\nFirst Submission:2026-03-04T07:07:53.000000+00:00\nLast Submission:2026-03-04T08:20:28.000000+00:00" } ] } ] } }