Double-Edged Malware: Gh0st RAT and CloverPlus Launch Coordinated Assault on Windows Users

It starts with a click - a seemingly harmless file that quietly cracks open the door to a nightmare. Within minutes, the victim’s machine becomes both a cash cow and a covert outpost for cybercriminals. The latest campaign analyzed by security researchers reveals a chilling trend: the fusion of long-term espionage tools with instant-profit adware, delivering a one-two punch that’s catching even seasoned defenders off guard.

Malware in Tandem: How the Attack Unfolds

The attack begins with a loader that conceals two encrypted payloads deep within its resource section. The first: AdWare.Win32.CloverPlus, a classic adware that hijacks browsers, alters startup behavior, and unleashes a barrage of pop-up ads - generating fraudulent clicks and revenue for the attackers.

But the real threat lies in the second payload: a variant of Gh0st RAT. Once the loader verifies it’s running from the system’s temporary directory (to evade basic detection), it decrypts and deploys the RAT, using the legitimate Windows rundll32.exe process to blend in with normal activity.

Gh0st RAT: Stealth, Espionage, and Sabotage

Gh0st RAT is notorious for its stealth and versatility. This variant manipulates access tokens for elevated privileges, allowing it to snoop on other processes and steal sensitive data. It maps out the user’s environment, discovers network settings, and even hijacks DNS processes to block antivirus updates - effectively blinding defenders.

To avoid virtual machine sandboxes and trick analysts, the malware checks for VMware artifacts and, if detected, fetches its command-and-control address from a hidden blog post, using legitimate web traffic as cover. A clever “ping sleep” technique delays execution, slipping past sandbox timeouts designed to catch short-lived malicious activity.

Persistence and Credential Theft

Gh0st RAT ensures it survives reboots by embedding itself in Windows startup keys and services, even masquerading as a legitimate Remote Access service. It profiles the system, collecting hardware details for tracking, and monitors Remote Desktop sessions - capturing keystrokes and login credentials for further exploitation and lateral movement across networks.

Defending Against a Dual Threat

Security teams are urged to monitor for unusual rundll32.exe activity, batch commands using ping for sleep, and suspicious registry changes. By correlating these signals, defenders can spot both the adware’s monetization attempts and the RAT’s silent foothold. Continuous behavioral analytics and endpoint monitoring are now essential to disrupt such sophisticated, layered attacks before they entrench themselves.

Conclusion

This dual-pronged campaign is a stark reminder that today’s attackers aren’t just after quick profits or data - they want both, and they’re getting smarter about it. For defenders, vigilance and layered behavioral detection are the only real answers to malware that wears two faces at once. The line between nuisance and disaster has never been thinner.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Obfuscated Loader: An obfuscated loader is a program that conceals malware payloads, using techniques to evade detection and analysis during the initial infection stage.
• Living: Living off the Land means attackers use trusted system tools (LOLBins) for malicious actions, making their activities stealthy and hard to detect.
• Persistence Mechanism: A persistence mechanism is a method used by malware to stay active on a system, surviving reboots and removal attempts by users or security tools.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.