Two payloads, one foothold marks the campaign as more than a routine adware outbreak. The loader conceals encrypted components in its resource section, first delivering CloverPlus, which alters browser behaviour and pushes intrusive advertising, then decrypting a Gh0st RAT client module and launching it through rundll32. exe. That combination gives criminals two benefits at once: quick advertising fraud revenue and a durable backdoor that can be used for surveillance, credential theft or wider network abuse.
Technical analysis suggests the operators have taken care to avoid simple detection. The malware checks whether it is running from the Windows temporary directory and, if not, copies itself there before continuing. It then writes the decrypted Gh0st component into a randomly named folder on the root of the C: drive and executes it with a built-in Windows utility often abused by attackers because it blends into legitimate system activity. That use of native tools, randomised file paths and encrypted resources points to a campaign designed to survive basic antivirus screening and frustrate fast incident response.
Once active, the Gh0st payload goes well beyond nuisance-level malware. Researchers found that this variant enables SeDebugPrivilege, allowing it to interact with other processes and potentially inspect sensitive memory. It also carries out user, network and system discovery, gathers identifiers such as MAC addresses and hard-drive serial data, and establishes persistence through Windows registry and service mechanisms. The result is a backdoor that can keep returning after a reboot and can help an operator profile the machine with unusual precision.
One of the more striking features is its handling of DNS activity. The malware identifies the process responsible for DNS traffic, interferes with that process, and then manipulates name resolution to disrupt access to security-related domains. Analysts observed checks for antivirus-linked strings such as Alyac, Ahnlab and V3lite, with the malware capable of returning spoofed DNS answers or errors and then flushing the DNS cache to force the poisoned responses to take effect. For defenders, that is a warning sign because it means a victim may struggle to reach security tools or update servers even after suspecting something is wrong.
The campaign also appears built to recognise analysis environments. The Gh0st sample queries a VMware-related registry location to check whether it is running in a virtual machine, a common technique used to decide whether a machine belongs to a security researcher or sandbox. If a virtualised environment is detected, the malware can switch to a dead-drop resolver routine, pulling web content from a seemingly ordinary Sina blog page and extracting command-and-control information from the HTML title field. It also uses ping-based delays to slow execution, a simple but effective way to outlast short sandbox observation windows.
Gh0st RAT itself is not new, and that is part of the story. Security researchers have tracked variants of the malware for years, helped by source code that leaked in 2008 and enabled a long line of derivative strains to spread across different campaigns and actor groups. Its durability reflects a broader reality in cybercrime: older malware families often remain useful when they are repackaged with updated delivery methods, stealth features and monetisation tactics. This campaign fits that pattern by pairing a familiar RAT with adware that can generate immediate returns while the more strategic intrusion unfolds in the background.
That dual-track model matters because it blurs the line between financially motivated nuisanceware and more serious compromise. Adware is often dismissed as low-grade clutter, yet bundling it with a fully fledged remote access trojan changes the risk calculation for businesses and households alike. A machine showing pop-ups and browser hijacks may also be harbouring a persistent backdoor with the ability to log keystrokes, manipulate services, tamper with network behaviour and maintain privileged access. Splunk’s published detections for the campaign focus on suspicious rundll32 activity and persistence-related registry changes, underscoring how behavioural monitoring is becoming essential as attackers hide behind legitimate Windows processes.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
