Unit 42 Uncovers Two Massive Global Malware Campaigns Delivering Gh0st RAT Through Large-Scale Software Impersonation

Researchers at Palo Alto Networks Unit 42 have uncovered two expansive and interconnected malware campaigns active throughout 2025, both designed to mass-distribute Gh0st RAT variants to Chinese-speaking users. The campaigns demonstrate a rapid evolution of attacker tradecraft—from simple droppers to elaborate, multi-stage infection chains leveraging signed software, cloud infrastructure, and DLL sideloading for stealth and persistence.

These campaigns—named Campaign Trio and Campaign Chorus—collectively impersonated dozens of Chinese and international software brands across more than 2,500 malicious domains, forming one of the largest coordinated impersonation operations documented this year.

Unit 42 highlights a growing trend:

“Malware campaigns specifically tailored to target Chinese-speaking users globally have emerged as a notable trend in the threat landscape.”

The attackers show deep awareness of the digital habits and needs of this demographic, selecting lures that maximize credibility and click-through rates. These include:

• Chinese-language dictionary and translation tools
• Browsers and utilities widely used in mainland China
• VPNs and encrypted messaging apps used to bypass internet restrictions
• Popular AI tools and emerging technology brands

The report notes that the lure selection is not random, but “carefully selected… to appeal to this specific audience.”

Active between February and March 2025, Campaign Trio relied on massive domain registration bursts that mimicked legitimate download portals.

Unit 42 states:

“Between February and March 2025, attackers registered over 2,000 domains…”

The impersonation volume was staggering:

• 1,400+ domains mimicked i4tools
• 600+ domains impersonated Youdao Dictionary
• Multiple domains spoofed DeepSeek, capitalizing on AI hype

All these thousands of domains were funneled through just three IP addresses, reflecting what Unit 42 calls an “aggressive approach to infrastructure deployment.”

These malicious websites served trojanized installers that appeared legitimate but executed hidden payloads during installation.

Campaign Trio used Microsoft Installer (MSI) packages to embed malicious actions within legitimate installation workflows.

According to Unit 42, MSI files executed “a second-stage malware, a 1.7 MB executable named [System Process]5.exe.”

This second-stage executable:

• Downloaded an obfuscated binary
• Deobfuscated it
• Launched the final payload — Gh0st RAT

Gh0st RAT granted attackers full control:

• Keystroke logging
• Screenshot capture
• Remote shell
• Ability to download additional malware

Unit 42 notes:

“The deobfuscated binary is the final payload… identified as Gh0st RAT.”

Persistence was achieved through scheduled tasks and Windows Defender exclusions added via PowerShell.

Beginning in May 2025, Campaign Chorus expanded dramatically—impersonating over 40 different software brands and adopting a far more complex, multi-stage infection chain.

Unit 42 describes this phase as:

“A more sophisticated campaign… impersonating over 40 applications.”

These impersonations included:

• Enterprise communication apps
• Gaming platforms
• Chinese-secure messaging tools
• Popular Chinese music and browser apps

Campaign Chorus operated in two structured waves, each with its own domain naming conventions and redirection servers—suggesting a controlled, methodical operation.

The infection chain in Campaign Chorus introduced several new evasion layers.

1. VBScript Dropper Inside MSI

The MSI file contained a VBScript that:

• Assembled next-stage malware from multiple embedded data fragments
• Decrypted the assembled payload
• Executed it

Unit 42 explains:

“The VBScript file acts as a file assembler and decryptor for the next-stage malware.”

2. DLL Sideloading for Stealth Execution

The final payload used DLL sideloading by abusing a legitimate Avast-signed executable wsc_proxy.exe, which loaded a malicious DLL named wsc.dll.

This method allows attackers to:

• Run code under a trusted process
• Bypass allow-listing
• Evade EDR tooling

Unlike Campaign Trio, the second campaign used public cloud storage buckets for payload delivery.

Unit 42 highlights the shift:

“Malicious landing pages used intermediary redirection domains to fetch malicious ZIP archives from public cloud service buckets.”

This approach offers several advantages for attackers:

• Cloud traffic looks legitimate
• Harder for defenders to block
• Infrastructure becomes more resilient
• Payload hosting is outsourced to trusted providers

This marks a growing trend of threat actors weaponizing cloud ecosystems for malware distribution.

Unit 42’s findings reveal one of the largest Chinese-user-targeted malware ecosystems seen in 2025—combining mass domain generation, sophisticated imposter websites, and advanced multi-stage loaders delivering Gh0st RAT.

Related Posts:

• Trio of SQL Injection Flaws Strike Amazon Redshift Drivers: Patch Immediately
• Gh0st in the Machine: ASEC Uncovers Cryptomining Campaign Exploiting Korean Internet Cafés
• Advanced Cyber Espionage: SugarGh0st RAT Attacks Uzbek and South Korean Entities
• Divulge, Dedsec, and Duck: The Rise of Advanced Stealer Malware
• Spies in Your Skype: GodRAT Malware Uses Steganography to Target Financial Firms