Palo Alto Networks Unit 42 says attackers used more than 2,000 impersonation domains in two related Gh0st RAT campaigns—“Campaign Trio” (Feb–Mar 2025) and “Campaign Chorus” (May 2025)—to push fake downloads of popular Chinese-language software (i4tools, Youdao, DeepSeek, QQ Music, Sogou and 40+ other apps), with automated domain registration at roughly 300 domains/week in the first wave and about 90 added in the second. The threat actors evolved from an MSI-based installer that pulled a second-stage executable from a single URL to stealing legitimate cloud buckets, VBScript-based droppers that merged and decrypted multi-file payloads, and DLL sideloading (wsc_proxy.exe/wsc.dll) to evade static analysis, and have continued registering domains as recently as October 2025. Unit 42 urges behavior-based detection to counter these evasive techniques, and Elastic Security Labs separately links a Gh0st RAT campaign to the Dragon Breath APT that abuses Protected Process Light and custom WDAC policies to disable Windows Defender and block popular Chinese EDRs, underscoring elevated operational sophistication and persistent risk to organizations and users with China exposure.
Palo Alto Networks Unit 42 documents two related Gh0st RAT campaigns that used more than 2,000 impersonation domains to distribute fake Chinese-language software between February–March 2025 ("Campaign Trio") and May 2025 ("Campaign Chorus"). Campaign Trio automated domain registrations at roughly 300 domains per week and used an MSI installer that executed a second-stage payload (System Proces5.exe) fetched from fs-im-kefu[.]7moor-fs1[.]com, while Campaign Chorus expanded to 40+ apps and added ~90 domains hosted at 95.173.197.195 with redirection servers djbzdhygj[.]com and yqmqhjgn[.]com. The attackers materially evolved tradecraft by shifting payload hosting into a legitimate cloud bucket, adopting a VBScript-based dropper that reconstructs and decrypts multi-file payloads from .cab archives, and employing DLL sideloading via a signed wsc_proxy.exe loading malicious wsc.dll to evade static analysis. Unit 42 notes continued domain registrations as late as October 2025, signaling persistent operations and a burn-and-churn domain strategy. Operational significance: these techniques defeat signature/static defenses and favor behavior-based detection; Elastic Security Labs separately attributes a related Gh0st RAT stream to the Dragon Breath APT that abuses Protected Process Light and custom WDAC to disable Windows Defender and block Chinese EDRs (360 Total Security, Huorong). Market signals show moderately negative sentiment overall but positive per-ticker sentiment for PANW (0.5), implying potential demand uplift for advanced detection solutions while raising ongoing operational risk for China-facing consumer apps and cloud services.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
moderately negative
Sentiment Score
-0.50
Ticker Sentiment
