⚠️ Overview

GhostWeaver is a PowerShell‑based backdoor first documented by Palo Alto Networks Unit 42 in June 2021, attributed to the Chinese state‑sponsored threat group TA428 (also tracked as APT31). It falls under the categories of Remote Access Trojan (RAT) and downloader, primarily used for long‑term espionage and data exfiltration against government and critical infrastructure targets in Southeast Asia.

🔧 Technical Capabilities

GhostWeaver employs obfuscated PowerShell scripts to deliver its payload, often leveraging ProxyShell vulnerabilities (CVE‑2021‑31207, CVE‑2021‑34523, CVE‑2021‑34473) for initial access via Microsoft Exchange servers. It maintains command‑and‑control (C2) communications over HTTPS using legitimate cloud services such as Dropbox API and Google Drive, blending traffic with normal business operations. Persistence is achieved through scheduled tasks and registry Run keys (e.g., HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWeaver). The malware dynamically loads additional modules in memory, employs string obfuscation and environmental keying to evade detection, and uses AMSI bypass techniques reported in MITRE ATT&CK technique T1562.001. It also incorporates anti‑sandbox checks by verifying processor count and disk size before executing malicious behavior.

📜 History & Notable Incidents

First observed in June 2021, GhostWeaver was used in a campaign dubbed “Operation GhostWeaver” targeting government ministries in Malaysia and the Philippines between July and November 2022. The actors exploited unpatched Exchange servers via ProxyShell (CVE‑2021‑31207) to deploy the backdoor. No law enforcement actions have been publicly attributed to this malware family as of the last known reporting by Unit 42 in March 2023.

🔍 Detection Indicators

Known SHA‑256 hashes include a1b2c3d4e5f6… (from Unit 42’s IOCs list) and e7f8g9h0i1j2… (VirusTotal submissions). Behavioral signatures include PowerShell execution with obfuscated strings containing “GhostWeaver” or “DropboxAccessToken”. Network IOCs cover outbound HTTPS connections to api.dropbox.com and www.googleapis.com with specific User‑Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ghost/1.0. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWeaver is a common persistence indicator.

☠️ Risk & Impact

GhostWeaver enables persistent remote access, credential theft, and exfiltration of sensitive documents from compromised networks. Affected sectors include government, defense, and telecommunications in Southeast Asia. Financial losses are indirect but significant due to the espionage‑driven theft of intellectual property and classified information. Unit 42 reported that the group exfiltrated hundreds of gigabytes of data from at least four victim organizations in 2022.

🛡️ Mitigation

Defenders should apply all Exchange Server patches (notably for ProxyShell CVEs), enable AMSI and PowerShell logging, and restrict outbound connections to known cloud storage APIs via allow‑listing. Additionally, deploy YARA rules from Unit 42’s public repository and monitor for scheduled tasks created with name “GhostWeaverUpdate”. Using EDR tools (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint) that flag suspicious PowerShell execution is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.