SYMBOLCOMMON_NAMEaka. SYNONYMS
ps1.ghostweaver (Back to overview)

GhostWeaver


According to TRAC Labs, the GhostWeaver backdoor not only maintains continuous, authenticated communication with its command-and-control server but also includes functionalities to generate DGA domains (using a fixed-seed algorithm based on the week number and year), deliver additional payloads via remote commands and bypass certificate validation by leveraging a RemoteCertificateValidationCallback that always returns true. Multiple delivered plugins are designed to target sensitive information - including credentials from popular browsers (Brave, Chrome, Firefox, Edge), Outlook data, and cryptocurrency wallets. The Formgrabber plugin includes web injection methods by dynamically manipulating HTML content, modifying JA3 fingerprints via cipher suite reordering, and employing a man-in-the-middle proxy setup to intercept the traffic. GhostWeaver’s and plugins’ delivery on systems that are not part of an Active Directory domain suggests that attackers are extending their reach beyond typical corporate targets, aligning with a financially motivated agenda that exploits environments with weaker security controls.

References
2025-04-29Recorded FutureInsikt Group
Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting
FAKEUPDATES MintsLoader GhostWeaver Stealc
2025-02-15Medium TRAC LabsTRAC Labs
Don’t Ghost the SocGholish: GhostWeaver Backdoor
FAKEUPDATES GhostWeaver

There is no Yara-Signature yet.