S0032: gh0st RAT
Analyst context for executives and security teams
gh0st RAT matters because it is a public-source remote access tool, not a single closed malware family tied to one actor. ATT&CK links it to many espionage-oriented groups and one campaign, which makes it a useful planning object for readiness: if an organization can detect and investigate RAT behaviors such as command execution, keylogging, screen capture, registry activity, process injection, tool transfer, and unusual command-and-control, it is better positioned for a broad class of intrusions on Windows and macOS endpoints.
Executive priority
Treat gh0st RAT as a coverage validation case for remote-access malware rather than as a narrow indicator-matching problem. Leaders should ask whether endpoint, network, and incident response teams can prove visibility into post-compromise remote control, credential collection, discovery, and cleanup behaviors. Because ATT&CK provides no official detection text for this object, audit and risk discussions should focus on evidence of telemetry coverage, triage playbooks, and control effectiveness across Windows and macOS rather than claims of guaranteed detection.
Technical view
For SOC and IR teams, validate coverage against the ATT&CK relationships: Query Registry and Modify Registry on Windows; Process Injection; Keylogging; Process Discovery; Command and Scripting Interpreter use; File Deletion; System Information Discovery; Non-Application Layer Protocol command-and-control; Ingress Tool Transfer; Native API use; and Screen Capture. The most defensible detection approach is behavior-led correlation: suspicious remote-control activity plus host discovery, credential/input capture, file transfer, registry changes, injected execution, or cleanup. Because the official malware object does not specify tactics or detection logic, local baselining is required to separate legitimate administration, accessibility tools, developer activity, and support tooling from malicious RAT behavior.
Likely telemetry
- Endpoint process creation and command-line execution on Windows and macOS
- Parent-child process relationships and process injection or abnormal cross-process access signals
- Windows Registry query and modification events
- File creation, transfer, deletion, and staging activity on endpoints
- Network connection metadata, including unusual outbound sessions and non-application-layer protocol use where observable
Detection direction
- Do not rely only on static signatures or known names; public source code and variants make behavior-based validation more durable.
- Build detections around combinations of RAT-relevant behaviors: remote command execution, discovery, registry activity, screen capture, keylogging signals, tool transfer, and suspicious outbound communications.
- Tune for false positives from legitimate remote administration, help desk tools, software deployment, accessibility software, automation frameworks, and administrator troubleshooting.
- For Windows, verify registry monitoring covers both query and modification activity in locations relevant to persistence, configuration, and defense evasion investigations.
- For macOS, confirm endpoint telemetry can capture command execution, process activity, screen capture indicators, file operations, and network behavior; do not assume Windows-centric content is sufficient.
Mitigation priorities
- Prioritize endpoint visibility and response capability on Windows and macOS systems that can expose process, file, registry, network, and user-session collection behaviors.
- Harden identity and privileged access practices so credential capture from a RAT does not automatically translate into broad environment compromise.
- Restrict and monitor administrative scripting, remote access tooling, and unauthorized file transfer paths while preserving business-approved administration workflows.
- Apply least privilege and application control concepts where feasible to reduce arbitrary tool execution and post-compromise utility use.
- Ensure egress monitoring and network controls can identify unusual command-and-control patterns, including traffic that may not traverse normal web proxy inspection.
Analyst notes and limits
ATT&CK describes gh0st RAT as a remote access tool with public source code used by multiple groups. Relationship context links it to Operation Dust Storm and numerous groups including Axiom, PittyTiger, APT18, Threat Group-3390, TA459, Leviathan, Kimsuky, APT41, Higaisa, Andariel, and APT5. These relationships support broad threat-intelligence relevance, but they should not be used for attribution without case-specific evidence.
The supplied ATT&CK object has no official detection guidance, no aliases listed in the primary fields, and no explicit tactics on the malware object itself. Platforms are limited by the object to Windows and macOS, even though related techniques may apply more broadly. Any assessment of exposure, active exploitation, detection coverage, or business impact requires local telemetry, asset criticality, and incident evidence.
gh0st RAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1129 | Shared Modules | gh0st RAT can load DLLs into memory.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1112 | Modify Registry | gh0st RAT has altered the InstallTime subkey.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | |
| Enterprise | T1055 | Process Injection | gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1059 | Command and Scripting Interpreter | |
| Enterprise | T1012 | Query Registry | gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1095 | Non-Application Layer Protocol | gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1106 | Native API | gh0st RAT has used the `InterlockedExchange`, `SeShutdownPrivilege`, and `ExitWindowsEx` Windows API functions.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1082 | System Information Discovery | gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1568.001 | Fast Flux DNS Sub-technique | gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | gh0st RAT has a keylogger.CitationAlintanahin 2014CitationGh0stRAT ATT March 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | gh0st RAT has used Zlib to compress C2 communications data before encrypting it.CitationGh0stRAT ATT March 2019 |
| Enterprise | T1573 | Encrypted Channel | gh0st RAT has encrypted TCP communications to evade detection.CitationGh0stRAT ATT March 2019 |
Groups, software, and campaigns
G0062: TA459
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0011: PittyTiger
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[1][2]
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G0026: APT18
G0126: Higaisa
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]
G0138: Andariel
Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]
Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.3 | Current bundle | d294bc20a210… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Hacking Team
FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
Open source URL -
[2]
Arbor Musical Chairs Feb 2018
Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
Open source URL -
[3]
Nccgroup Gh0st April 2018
Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
Open source URL -
[4]
Novetta-Axiom
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Open source URL -
[5]
Moudoor
(Citation: Novetta-Axiom)
-
[6]
Mydoor
(Citation: Novetta-Axiom)
-
[7]
gh0st RAT
(Citation: FireEye Hacking Team)(Citation: Nccgroup Gh0st April 2018)
-
[8]
mitre-attack S0032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.