Skip to content

S0032 gh0st RAT

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.143

Item Value
ID S0032
Associated Names Mydoor, Moudoor
Version 3.0
Created 31 May 2017
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Mydoor 2
Moudoor 2

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder gh0st RAT has added a Registry Run key to establish persistence.35
enterprise T1059 Command and Scripting Interpreter gh0st RAT is able to open a remote shell to execute commands.13
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service gh0st RAT can create a new service to establish persistence.35
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding gh0st RAT has used Zlib to compress C2 communications data before encrypting it.5
enterprise T1140 Deobfuscate/Decode Files or Information gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.5
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.5
enterprise T1573 Encrypted Channel gh0st RAT has encrypted TCP communications to evade detection.5
enterprise T1573.001 Symmetric Cryptography gh0st RAT uses RC4 and XOR to encrypt C2 traffic.3
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading A gh0st RAT variant has used DLL side-loading.4
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs gh0st RAT is able to wipe event logs.15
enterprise T1070.004 File Deletion gh0st RAT has the capability to to delete files.15
enterprise T1105 Ingress Tool Transfer gh0st RAT can download files to the victim’s machine.35
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging gh0st RAT has a keylogger.65
enterprise T1112 Modify Registry gh0st RAT has altered the InstallTime subkey.5
enterprise T1106 Native API gh0st RAT has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.5
enterprise T1095 Non-Application Layer Protocol gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.5
enterprise T1057 Process Discovery gh0st RAT has the capability to list processes.1
enterprise T1055 Process Injection gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function.5
enterprise T1012 Query Registry gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.5
enterprise T1113 Screen Capture gh0st RAT can capture the victim’s screen remotely.3
enterprise T1129 Shared Modules gh0st RAT can load DLLs into memory.5
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 A gh0st RAT variant has used rundll32 for execution.4
enterprise T1082 System Information Discovery gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.5
enterprise T1569 System Services -
enterprise T1569.002 Service Execution gh0st RAT can execute its service if the Service key exists. If the key does not exist, gh0st RAT will create and run the service.5

Groups That Use This Software

ID Name References
G0001 Axiom 72
G0026 APT18 8
G0011 PittyTiger 910
G0138 Andariel 11
G0096 APT41 12
G0126 Higaisa 13
G0027 Threat Group-3390 14
G0062 TA459 TA459 has used a Gh0st variant known as PCrat/Gh0st.15
G0065 Leviathan 16


  1. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016. 

  2. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  3. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. 

  4. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018. 

  5. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  6. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014. 

  7. Esler, J., Lee, M., and Williams, C.. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. 

  8. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017. 

  9. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. 

  10. Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015. 

  11. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021. 

  12. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  13. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  14. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019. 

  15. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. 

  16. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021. 

Back to top