{
  "type": "malware",
  "spec_version": "2.1",
  "id": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24",
  "created": "2017-05-31T21:32:24.937Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "revoked": false,
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/software/S0032",
      "external_id": "S0032"
    },
    {
      "source_name": "gh0st RAT",
      "description": "(Citation: FireEye Hacking Team)(Citation: Nccgroup Gh0st April 2018)"
    },
    {
      "source_name": "Mydoor",
      "description": "(Citation: Novetta-Axiom)"
    },
    {
      "source_name": "Moudoor",
      "description": "(Citation: Novetta-Axiom)"
    },
    {
      "source_name": "FireEye Hacking Team",
      "description": "FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.",
      "url": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html"
    },
    {
      "source_name": "Novetta-Axiom",
      "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.",
      "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
    },
    {
      "source_name": "Nccgroup Gh0st April 2018",
      "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.",
      "url": "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/"
    },
    {
      "source_name": "Arbor Musical Chairs Feb 2018",
      "description": "Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.",
      "url": "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2026-05-12T15:12:00.737Z",
  "name": "gh0st RAT",
  "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)",
  "is_family": true,
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_platforms": [
    "Windows",
    "macOS"
  ],
  "x_mitre_deprecated": false,
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_version": "3.3",
  "x_mitre_attack_spec_version": "3.3.0",
  "x_mitre_aliases": [
    "gh0st RAT",
    "Mydoor",
    "Moudoor"
  ]
}