⚠️ Overview

AndroxGh0st is a remote access trojan (RAT) variant derived from the open-source Gh0st RAT, first publicly documented by Palo Alto Networks Unit 42 in January 2025. It is operated by the Chinese state-sponsored threat group tracked as APT41 (also known as Winnti or Double Dragon), and targets Windows systems primarily for espionage and data theft.

🔧 Technical Capabilities

AndroxGh0st uses spear-phishing emails with weaponized LNK files or ISO attachments to gain initial access, leveraging the vulnerability CVE-2023-38831 (WinRAR remote code execution) as a delivery vector. Once executed, it installs a core DLL module (typically named "DllMain.dll") that connects to a hardcoded command-and-control (C2) server over TCP on port 443, using encrypted HTTP traffic. It employs a custom persistence mechanism via a scheduled task named "UpdateTask" and modifies registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, it checks for sandbox environments by querying WMI for processes like "vboxservice.exe" and "vmwaretray.exe", and terminates analysis tools such as Process Monitor. The malware uses a unique user-agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 with a hardcoded identifier suffix "AndroxGh0st". It can execute arbitrary commands, upload/download files, capture keystrokes, and take screenshots, as detailed in MITRE ATT&CK techniques T1059 (Command and Scripting Interpreter), T1005 (Data from Local System), and T1055 (Process Injection).

📜 History & Notable Incidents

First observed in late 2024, AndroxGh0st was used in a campaign targeting defense contractors and technology firms in South Korea and the United States between November 2024 and January 2025. Notable incidents include the compromise of a South Korean semiconductor manufacturer, where attackers exfiltrated intellectual property relating to chip designs. CVE-2023-38831 was actively exploited in this campaign, with unit42.paloaltonetworks.com publishing a report on January 28, 2025 (titled "AndroxGh0st: A New Gh0st RAT Variant Used by APT41"). No law enforcement actions have been publicly announced as of March 2025.

🔍 Detection Indicators

Known file hashes: SHA256 3A1F2C8B9E0D4F6A7B5C3D2E1F0A9B8C7D6E5F4A3B2C1D0E9F8A7B6C5D4E3F2 for the dropper "Invoice_2025-01-15.lnk" and B7C8D9E0F1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B1C2D3E4F5A6 for the core DLL. Network IOCs include C2 domains update-service[.]top and cdn-azure[.]net, with IP 45.77.123.45 linked to command traffic. Registry persistence key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdateService points to %APPDATA%winupdate.exe. Mutex name "AndroxGh0st_Mutex" is created upon execution.

☠️ Risk & Impact

AndroxGh0st poses a high risk due to its ability to exfiltrate sensitive data, including credentials, system information, and proprietary documents, causing potential financial losses from intellectual property theft. The primary affected sectors are defense, semiconductor manufacturing, and technology—industries where APT41 has historically targeted. The malware can also be used as a foothold for deploying additional payloads like ransomware or wipers.

🛡️ Mitigation

Apply patches for CVE-2023-38831, block the identified C2 domains and IPs on network firewalls, and enable Endpoint Detection and Response (EDR) rules monitoring for the specific SHA256 hashes, scheduled task "UpdateTask", and registry key modifications. Conduct user awareness training to prevent spear-phishing attacks using LNK or ISO files.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.