| SYMBOL | COMMON_NAME | aka. SYNONYMS |
win.ghost_rat (Back to overview)
Ghost RAT
aka: Farfli, Gh0st RAT, PCRat
Actor(s): EMISSARY PANDA, Hurricane Panda, Lazarus Group, Leviathan, Red Menshen, Stone Panda
According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.
Below is a list of Gh0st RAT capabilities.
Take full control of the remote screen on the infected bot.
Provide real time as well as offline keystroke logging.
Provide live feed of webcam, microphone of infected host.
Download remote binaries on the infected remote host.
Take control of remote shutdown and reboot of host.
Disable infected computer remote pointer and keyboard input.
Enter into shell of remote infected host with full control.
Provide a list of all the active processes.
Clear all existing SSDT of all existing hooks.
References
| 2025-08-05
⋅
Defentive
⋅
Lost in Translation: Threat Actors Use SEO Poisoning and Fake DeepL Sites to Distribute Gh0st RAT Ghost RAT |
| 2025-06-24
⋅
Bridewell
⋅
2025 Cyber Threat Intelligence Report AsyncRAT Brute Ratel C4 Cobalt Strike Fog Ghost RAT Lumma Stealer Meduza Stealer Quasar RAT RedLine Stealer Sliver |
| 2025-04-30
⋅
⋅
AhnLab
⋅
(Larva-25003) Web server target IIS malware dissemination case Ghost RAT |
| 2024-07-10
⋅
Akamai
⋅
CVE-2024-4577 Exploits in the Wild One Day After Disclosure Tsunami Ghost RAT xmrig |
| 2024-05-23
⋅
Palo Alto Networks Unit 42
⋅
Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia Agent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter CL-STA-0043 |
| 2023-05-03
⋅
Sophos
⋅
A doubled “Dragon Breath” adds new air to DLL sideloading attacks Ghost RAT DragonBreath |
| 2023-04-24
⋅
Cofense
⋅
Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release Ghost RAT |
| 2023-04-13
⋅
Intel 471
⋅
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt |
| 2022-09-15
⋅
Symantec
⋅
Webworm: Espionage Attackers Testing and Using Older Modified RATs 9002 RAT Ghost RAT Trochilus RAT |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
| 2022-05-23
⋅
Trend Micro
⋅
Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
| 2022-04-27
⋅
Trend Micro
⋅
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka |
| 2022-04-27
⋅
Trendmicro
⋅
Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
| 2022-04-15
⋅
Center for Internet Security
⋅
Top 10 Malware March 2022 Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus |
| 2022-04-01
⋅
The Hacker News
⋅
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit Fire Chili Ghost RAT |
| 2022-03-30
⋅
Fortinet
⋅
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits Fire Chili Ghost RAT |
| 2022-03-16
⋅
AhnLab
⋅
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers Ghost RAT Kingminer |
| 2022-02-11
⋅
Cisco Talos
⋅
Threat Roundup for February 4 to February 11 DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus |
| 2021-12-14
⋅
Trend Micro
⋅
Collecting In the Dark: Tropic Trooper Targets Transportation and Government ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23 |
| 2021-10-05
⋅
Blackberry
⋅
Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
| 2021-10-04
⋅
JPCERT/CC
⋅
Malware Gh0stTimes Used by BlackTech Gh0stTimes Ghost RAT |
| 2021-05-05
⋅
Zscaler
⋅
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
| 2021-04-28
⋅
Trend Micro
⋅
Water Pamola Attacked Online Shops Via Malicious Orders Ghost RAT |
| 2021-04-02
⋅
Dr.Web
⋅
Study of targeted attacks on Russian research institutes Cotx RAT Ghost RAT TA428 |
| 2021-02-22
⋅
tccontre Blog
⋅
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload Ghost RAT |
| 2021-02-01
⋅
ESET Research
⋅
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
| 2021-01-15
⋅
Swisscom
⋅
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
| 2020-12-18
⋅
Seqrite
⋅
RAT used by Chinese cyberspies infiltrating Indian businesses Ghost RAT |
| 2020-12-10
⋅
Intel 471
⋅
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
| 2020-12-10
⋅
US-CERT
⋅
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
| 2020-10-27
⋅
Dr.Web
⋅
Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
| 2020-07-28
⋅
⋅
NTT
⋅
CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX |
| 2020-07-20
⋅
Risky.biz
⋅
What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell |
| 2020-06-14
⋅
BushidoToken
⋅
Deep-dive: The DarkHotel APT Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode) |
| 2020-06-05
⋅
Prevailion
⋅
The Gh0st Remains the Same Ghost RAT |
| 2020-06-04
⋅
PTSecurity
⋅
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group Ghost RAT SongXY |
| 2020-05-20
⋅
Medium Asuna Amawaka
⋅
What happened between the BigBadWolf and the Tiger? Ghost RAT |
| 2020-05-14
⋅
Avast Decoded
⋅
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia BYEBY Ghost RAT Microcin MimiKatz Vicious Panda |
| 2020-03-05
⋅
SophosLabs
⋅
Cloud Snooper Attack Bypasses AWS Security Measures Cloud Snooper Ghost RAT |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE EDISON Ghost RAT sykipot APT4 SAMURAI PANDA |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE FLEETWOOD Binanen Ghost RAT OrcaRAT APT5 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE GLOBE EtumBot Ghost RAT APT12 |
| 2020-01-01
⋅
Secureworks
⋅
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
| 2019-12-12
⋅
Microsoft
⋅
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
| 2019-11-19
⋅
FireEye
⋅
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell |
| 2019-11-04
⋅
⋅
Tencent
⋅
APT attack group "Higaisa" attack activity disclosed Ghost RAT Higaisa |
| 2019-09-23
⋅
MITRE
⋅
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
| 2019-09-17
⋅
Talos
⋅
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda” Ghost RAT |
| 2019-04-25
⋅
⋅
DATANET
⋅
Chinese-based hackers attack domestic energy institutions CALMTHORN Ghost RAT |
| 2019-02-27
⋅
Secureworks
⋅
A Peek into BRONZE UNION’s Toolbox Ghost RAT HyperBro ZXShell |
| 2019-01-07
⋅
Intezer
⋅
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups Ghost RAT |
| 2018-09-19
⋅
Möbius Strip Reverse Engineering
⋅
Hex-Rays Microcode API vs. Obfuscating Compiler Ghost RAT |
| 2018-04-20
⋅
NCC Group
⋅
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
| 2018-04-17
⋅
NCC Group
⋅
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
| 2018-02-01
⋅
Bitdefender
⋅
Operation PZCHAO Inside a highly specialized espionage infrastructure Ghost RAT APT27 |
| 2018-01-04
⋅
Malware Traffic Analysis
⋅
MALSPAM PUSHING PCRAT/GH0ST Ghost RAT |
| 2017-12-19
⋅
Proofpoint
⋅
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group Ghost RAT |
| 2017-12-19
⋅
Proofpoint
⋅
North Korea Bitten by Bitcoin Bug QUICKCAFE PowerSpritz Ghost RAT PowerRatankba |
| 2017-05-31
⋅
MITRE
⋅
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
| 2017-05-31
⋅
MITRE
⋅
Axiom Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
| 2017-05-31
⋅
MITRE
⋅
APT18 Ghost RAT HttpBrowser APT18 |
| 2017-02-25
⋅
Financial Security Institute
⋅
Silent RIFLE: Response Against Advanced Threat Ghost RAT |
| 2016-04-22
⋅
Cylance
⋅
The Ghost Dragon Ghost RAT |
| 2012-01-01
⋅
Norman ASA
⋅
The many faces of Gh0st Rat Ghost RAT |
| 2011-06-29
⋅
Symantec
⋅
Inside a Back Door Attack Ghost RAT Dust Storm |
| 2009-03-28
⋅
Infinitum Labs
⋅
Tracking GhostNet: Investigating a Cyber Espionage Network Ghost RAT GhostNet |