Trusted Design

Musical Chairs: Campaign Involving New Variant of Gh0st Malware

概要

The Gh0st malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s. It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet. Musical Chairs is a multi-year campaign which recently deployed of new variant Gh0st we’ve named “Piano Gh0st.” Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two. They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific. The overall motivation of this campaign is unclear at this time. Gh0st is very versatile as it allows an adversary to take complete control over the infected system including installing additional malware.

Created: 2026-02-23

Indicators

• FileHash-SHA256 - 88feda3120381216bc96a09e4b6e43e89d5776b5ca3b2d820710be0678f19867 -
• FileHash-SHA256 - c256ca3514d23818cab28b61d1df52a513d1f2beda8c5e81c3336de762f9f3f4 -
• FileHash-SHA256 - 20236c7a6c0c29664976ab943118477583545ed8461b14933b2d49cee10dd051 -
• FileHash-SHA256 - 83e7aaf52e5f567349eee880b0626e61e97dc12b8db9966faf55a9921bac61da -
• FileHash-SHA256 - bba343d4043ea3d170f4027546fad7f991b7ebce9e923dc42e16d88b570ff167 -
• FileHash-SHA256 - 55090a930b6c37f9ff215793e950a4ffb67f516fd0a14409b027f995d27da082 -
• FileHash-SHA256 - 9b823f0d60e348707fbbc1da8b37b3c9cd5ea1f43277ba8069e302ff05fee531 -
• FileHash-SHA256 - 022ca8187bfb1f347a0e547417a8088a5cc0e38fd9aa51b464154fbcf4aa149c -
• FileHash-SHA256 - ed25e3d5c13f409242ded579c45f9c4bb4416c204e1ee16cf63f744cf2ccd62c -
• Mutex - Global\\dafewewrw -
• FileHash-SHA256 - b50544ad3341fbee60338f45bd4043450238a301e022c1010115a2003a970a23 -
• FileHash-SHA256 - f37dc918d8064671edcb28c12397c576d3b66b6da21e1670a1a9428f03fb8478 -
• FileHash-SHA256 - 76d97074410251347a9398a90e42e02866c30ba71303fe9cccf236ea229172a4 -
• FileHash-SHA256 - a0fdb977b712e669aae28723f1a4b90735a5af9e92937558c9da8f62614a1a17 -
• FileHash-SHA256 - e1290e92c5caff9631f4ebe53df27293b71df19b6b5435323332658ebaa9c6b6 -
• FileHash-SHA256 - e60c25ee1404433e3f78e50f5edea11f186211148ce8e5abb22c1f01b76d96f3 -
• FileHash-SHA256 - 3a8ddb7b456332301d02222df48070f62e1e39a48e74f39ca8633028599ae250 -
• FileHash-SHA256 - a34f37c19785b029bf690d53b89f910586660fb94abd8587bfe110c3db6856bc -
• FileHash-SHA256 - 85894b6181535efe15ec5ff7575cee8975aa86ec611d94fb7709b54e5ccfc9f2 -
• FileHash-SHA256 - 6adced734d5498bbcc9fc111ce43bd7fd8db098106eaa3cfc025de7ba6dc02a7 -
• FileHash-SHA256 - 89968a9c846aad54cd78d7bfe704f0ab71f75d54b982540f594afdaa9100f4fc -
• FileHash-SHA256 - 34dabb10ea595c773ae4f8c13b7d7fdb41927bc7052ef76204735bbffeda1c47 -
• FileHash-SHA256 - 8a2a5f155707109bc0a6f179f1a749b216504b373c765c8193a7dd958b17be7c -
• FileHash-SHA256 - a95933553fca054e08bd213b7f364b084ef19936a425d7260e08a8e7fdfd2ce6 -
• FileHash-SHA256 - 29726da0ebd8960cab09f91bb8fa37db27b1ca2a3897235c645d1896df10303b -
• FileHash-SHA256 - 7eeba4a511cdeb6b48ca3d09b751be047aa553ea5f6c416494200d1aee520fe4 -
• FileHash-SHA256 - f5c868d9ac4d18c9c88e181af9370769bf52928d04874d8c3142badf83f664e3 -
• FileHash-SHA256 - 96c301bfa09338740575c4758d558b12e338654b16fc4b9d2badb9610358bf63 -
• FileHash-SHA256 - 552ff44540e944b3263fc8c32c7dba927f6e7f3f4489bb13b8ecc52c3fd40bf1 -
• FileHash-SHA256 - d36d80c5b9da830fd027cd219d9dabcedd73f5d2da5009b2661c4f0438773c3e -
• FileHash-SHA256 - 20299a5fc850ec4cd1aceb7cf1987609c05fa08d59dd5ae79e15bc048c46685e -
• FileHash-SHA256 - fb8b4bc012d45ba78e721a6f73df77ac7838998109c388ced95c995a7e7303f8 -
• FileHash-SHA256 - 4babcaf4694fb8207ea3774f6c2339a28c0ce5913fb9ac396a8e50efa75e10cd -
• FileHash-SHA256 - e58085656708d9759856325afb6cd67ec0ff7a126e27907efa2e91ef9a0ff474 -
• FileHash-SHA256 - acc340d986e720441ec5112746d3f94b248b44fe5d4c1da0fb866a3013384ad2 -
• FileHash-SHA256 - 81c8ef33d1e6ebfaad55e20b1e715007aa310b6aa55903e427225648efbbb779 -
• email - 596552@qq.com -
• FileHash-SHA256 - 73ae929dde6826306046d8db744da6e5150f5c508298726b634d39c279192ad0 -
• FileHash-SHA256 - d467504e8b8608b4fae334c426e8ac02f762993064bf1db20bb6090b42648648 -
• FileHash-SHA256 - f31b23dee1e047e5b472bca54c06594c2cca5adcebd2290f35b60cb2ebb3ee26 -
• FileHash-SHA256 - a764f76276e41ec49b388e8c7c53b602edcc29ff3ac8f8ab4b52913eb91934e3 -
• FileHash-SHA256 - c76a817bcae00ec0ca86624b2e62458fec07a5682d92eb59568639fa0586bb1e -
• FileHash-SHA256 - 07cf20da1ef235ee98c25495bf9b845754f21ed105d5211001885fd2eea3210f -
• FileHash-SHA256 - 4306af9aa2b585dd07c4b114bc7e292f7f9ab06732ae7a9e7f4831b88127c85a -
• FileHash-SHA256 - e297929c583c6f84727c312b937c43550d71fe2bca4f4138d53441c7e269cfa4 -
• FileHash-SHA256 - c608bb6f3723aad1608963e661c8fb80ace93f02f7d52f61a1355e9512676d62 -
• FileHash-SHA256 - 8dac9fa1ea29a90893a77f4d49c1393fa99a967e8af6a507037789041911de95 -
• FileHash-SHA256 - 4b7133e45f368cc0b6728830bc9e1219ff318eb384caf5ecbb54e12e6e6c1925 -
• FileHash-SHA256 - f08f26a7026ba249d021ca21f097405a536771f38d94081731c0f7960177408b -
• FileHash-SHA256 - 61b77cada9c2a16daeb465e439cb3e38c857f1559455187469821893bf542666 -
• FileHash-SHA256 - 9c547a7c523e367948d2c645407d0919053ef48292173efe263f3ccfdcdc8e92 -
• FileHash-SHA256 - 50f08f0b23fe1123b298cb5158c1ad5a8244ce272ea463a1e4858d12719b337f -
• FileHash-SHA256 - ca63a159d58cb7b9bff57646b0e5bc9a61c51f4e08304d9d73c87c876f77b7f5 -
• FileHash-SHA256 - 7b8a3efef6c4847697331badcdb0b306ceaa013233ce1c7ee8de8ae933c2d89d -
• hostname - www.yourbroiler.com -
• domain - meitanjiaoyiwang.com -
• FileHash-SHA256 - 09f24435e47be74f90d032c78a84fa37f06ce9452a6d3a75c263ae012a7ae626 -
• FileHash-SHA256 - 1181e9bb8fbcf1ebad8b6a7f157b6cc71e9c996c3601baecc3a2f25ba27032ee -
• FileHash-SHA256 - 66b1260565e2243bba1436f43e986ff741bd391305114d7bef891273e03abd72 -
• FileHash-SHA256 - e737e2253f016ab65b521d4f4e7b2a06741fa2541c52f0994edfc1763a053910 -
• domain - yourbroiler.com -
• FileHash-SHA256 - a7afee2227ff3ee64695235c7eed214ee1d18c2b6e287616118b5f38fd6720dc -
• FileHash-SHA256 - e58eb692d3933dfda630f659d447d7c8026eaf32d35478bd7056515706eb1481 -
• FileHash-SHA256 - da297e8bf799032e0a52c4535997abf30202f33ce9d4162139129463c386efcc -
• FileHash-SHA256 - d3c8161f76d4187f32039b5557e22e5fb684c06aa3e145e813ee7a4e166cbf47 -
• FileHash-SHA256 - bdb89defb03055e962c6627e8baa0ffd83dda81a1b239bc48e751c2ea5aa2b29 -

類似Pulses

• A Look Into Fysbis: Sofacy’s Linux Backdoor (score: 0.62)
• New POS Malware Emerges - Punkey (score: 0.62)
• Operation DustySky (score: 0.62)
• Connecting the Dots: Syrian Malware Team Uses BlackWorm for Attacks (2014) (score: 0.61)
• APT group leveraging HT exploits to target a Financial Services (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る