⚠️ Overview

SilentGh0st is a remote access trojan (RAT) first documented in November 2023 by Fortinet’s FortiGuard Labs, linked to the Chinese-speaking threat group suspected of operating Gh0st RAT variants. It targets Windows systems for persistent remote control and data theft.

🔧 Technical Capabilities

SilentGh0st propagates via phishing emails with weaponized Microsoft Office documents or ISO files, leveraging macro scripts to drop the payload. It connects to command-and-control (C2) servers using HTTP, HTTPS, or custom TCP protocols with base64-encoded traffic. Persistence is achieved through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include process hollowing, API unhooking, and disabling Windows Defender via registry modifications. It also collects system information, keystrokes, clipboard data, and credentials from browsers and email clients.

📜 History & Notable Incidents

First observed in the wild in October 2023, SilentGh0st was used in campaigns targeting government and defense sectors in Southeast Asia and Eastern Europe. No specific CVEs are exploited; instead it abuses legitimate tools like PowerShell and WMI. In April 2024, Trend Micro reported an uptick in SilentGh0st samples using DLL side-loading with signed binaries to bypass antivirus.

🔍 Detection Indicators

Known file hashes include SHA256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (from Fortinet’s blog). Behavioral indicators include creation of scheduled tasks named WindowsUpdateTask and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMSOfficeUpdate. Network IOCs: C2 domains following patterns like *.duckdns.org or *.no-ip.org, and User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

SilentGh0st enables full remote control, leading to data exfiltration of sensitive documents, credentials, and financial information. It has caused operational disruptions in targeted organizations, particularly in manufacturing and logistics sectors. Financial losses are estimated in the hundreds of thousands per incident due to ransomware follow-up or lateral movement.

🛡️ Mitigation

Apply email filtering to block malicious attachments, enable attack surface reduction rules for Office macros, and deploy EDR solutions with behavioral detection rules for process injection and persistence techniques. Regularly update Windows Defender definitions and audit scheduled tasks for unauthorized entries.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.