CP
cyberpings

Gh0st RAT and CloverPlus Adware - New Dual-Payload Malware

A new malware campaign is delivering both Gh0st RAT and CloverPlus adware simultaneously. This dual threat allows attackers to control systems and generate revenue. Security teams must enhance their defenses against this evolving threat.

Malware & RansomwareHIGHUpdated: Published:
Featured image for Gh0st RAT and CloverPlus Adware - New Dual-Payload Malware

Original Reporting

CSCyber Security News·Tushar Subhra Dutta

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, attackers are using one program to install two types of malware on victims' computers.

What Happened

A newly identified malware campaign has raised alarms in the cybersecurity community. Attackers are now using a single, obfuscated loader to deliver two different threats: the Gh0st Remote Access Trojan (RAT) and CloverPlus adware. This dual-payload strategy allows attackers to maintain long-term control over compromised systems while simultaneously generating revenue through ad fraud.

How It Works

The loader is designed to be stealthy, hiding two encrypted payloads within its resource section. The first payload released is the CloverPlus adware, which modifies browser settings and injects unwanted advertisements. Once this is executed, the loader checks its file path and drops a copy of itself in the system's %temp% folder. It then decrypts the Gh0st RAT client module, which is stored as an encrypted resource.

The Gh0st RAT is launched using the legitimate Windows application rundll32.exe, allowing it to execute under a trusted system process. This method reduces the likelihood of detection by standard security tools. Once active, Gh0st RAT collects system information and establishes a connection to the attacker's command-and-control infrastructure.

Who's Being Targeted

This malware campaign targets both individuals and organizations. The adware disrupts browser functionality, while the RAT can steal sensitive data, capture keystrokes, and provide persistent access to attackers. The combination of these threats makes it a significant risk for any compromised system.

Signs of Infection

Indicators of infection include:

🔴

Unusual browser behavior,

Unusual browser behavior, such as unexpected pop-ups.

🟡

wiseman.exe

in system processes.

🟠

Modifications to registry

Modifications to registry keys related to system services.

How to Protect Yourself

Security teams are urged to enhance their endpoint monitoring capabilities. Here are some recommended actions: This campaign highlights a shift towards more complex malware delivery strategies, emphasizing the need for robust security measures and constant vigilance.

Detection

  • 1.Monitor for rundll32.exe loading non-standard file extensions from unusual directories.
  • 2.Flag any process execution originating from the %temp% folder.

Removal

  • 3.Set alerts for registry modifications to Run keys and RemoteAccess service paths.
  • 4.Keep detection rules updated to align with MITRE ATT&CK techniques relevant to this malware.

🔒 Pro Insight

🔒 Pro insight: The dual-payload approach signifies a strategic evolution in malware delivery, increasing both persistence and monetization opportunities for attackers.

CSCyber Security News· Tushar Subhra Dutta
Read Original

Share

Related Pings

Preview image for FUD Crypt - Hackers Generate Microsoft-Signed Malware
Malware & Ransomware
HIGH

FUD Crypt - Hackers Generate Microsoft-Signed Malware

FUD Crypt is a new malware-as-a-service that allows hackers to create Microsoft-signed malware easily. This poses a significant risk as it can bypass security measures. Cybersecurity teams must remain vigilant against these sophisticated threats.

CSCyber Security News
Read PingRead Source
Preview image for DDoS-for-Hire Takedown - Four Arrested in Global Operation
Malware & Ransomware Widely Reported (4 sources)
HIGH

DDoS-for-Hire Takedown - Four Arrested in Global Operation

A global operation led to the arrest of four individuals and the seizure of over 50 domains linked to DDoS-for-hire services, impacting more than 75,000 users worldwide.

TRThe Record+3 more
Read PingRead Source
Preview image for Fake Slack Download - Trojan Creates Invisible Desktop Access
Malware & Ransomware
HIGH

Fake Slack Download - Trojan Creates Invisible Desktop Access

A trojanized Slack installer is giving attackers hidden access to your machine. This threat targets millions of users, posing risks to personal and corporate data. Stay vigilant and ensure you download software from official sites.

MWMalwarebytes Labs
Read PingRead Source
Preview image for Global Adware - Transforms Into an AV Killer
Malware & Ransomware
HIGH

Global Adware - Transforms Into an AV Killer

How It Works The adware, initially perceived as harmless, has morphed into a serious threat. The update from Dragon Boss, rolled out in March 2025, created a method for the malware to maintain persistence on infected systems. This means it can continue to operate even after reboots or system updates. Who's Being Targeted This malware primarily targets users of

DRDark Reading
Read PingRead Source
Preview image for Malware - DHL Shipment Email Hides Remote Access Software
Malware & Ransomware
HIGH

Malware - DHL Shipment Email Hides Remote Access Software

A phishing email disguised as a DHL shipment notification tricks users into installing remote access software. This malware can lead to further attacks, including ransomware. Stay vigilant and check email sources carefully.

MWMalwarebytes Labs
Read PingRead Source
Malware & Ransomware Widely Reported (3 sources)
HIGH

PowMix Botnet - Covertly Compromises Czech Workforce with Advanced Techniques

The PowMix botnet is targeting the Czech workforce with advanced evasion techniques, posing a significant cybersecurity threat.

SCSC Media+2 more
Read PingRead Source