Cybersecurity researchers have identified a new malware variant, PLAYFULGHOST, which possesses a broad range of capabilities for information gathering and system exploitation. Its features include keylogging, screen and audio capture, remote shell access, and file transfer/execution. According to Google’s Managed Defense team, PLAYFULGHOST has functional similarities to Gh0st RAT, a remote administration tool whose source code was publicly leaked in 2008.
PLAYFULGHOST is introduced into target systems through phishing and SEO poisoning tactics. Phishing campaigns typically use emails with conduct-related lures, tricking victims into opening malicious RAR archives disguised as image files with a .jpg extension. When the archive is extracted and executed, it drops a malicious Windows executable, which subsequently downloads and installs PLAYFULGHOST from a remote server. SEO poisoning involves luring users into download compromised installers for legitimate VPN applications like LetsVPN. Once launched, these trojanized installers deploy an interim payload that retrieves and loads the backdoor. The malware employs advanced techniques like DLL search order hijacking and side-loading to decrypt and execute the malicious code in memory. In a more sophisticated approach, a Windows shortcut file (“QQLaunch.lnk”) assembles a malicious DLL using files named “h” and “t” and sideloads it via a renamed version of “curl.exe.”
PLAYFULGHOST ensures persistence through multiple mechanisms, including Run registry keys, scheduled tasks, the Windows Startup folder, and Windows services. Its capabilities extend beyond information theft, allowing it to record keystrokes, capture screenshots and audio, extract QQ account data, log clipboard content, and identify installed security tools. Additionally, it can deploy further payloads, disable mouse and keyboard input, clear event logs, delete browser caches and profiles (e.g., Sogou, QQ, Firefox, Google Chrome), and erase messaging app profiles for Skype, Telegram, and QQ.
PLAYFULGHOST also deploys tools like Mimikatz and a rootkit that conceals files, processes, and registry entries. Another component distributed alongside PLAYFULGHOST is an open-source utility called Terminator, used for disabling security processes via a Bring Your Own Vulnerable Driver (BYOVD) attack. In one instance, the malware was embedded within BOOSTWAVE, a shellcode that functions as an in-memory dropper for executable payloads.
The malware appears to specifically target Chinese-speaking Windows users. Indicators include the use of LetsVPN lures and the targeting of applications popular in Chinese regions, such as Sogou, QQ, and 360 Safety. This aligns with findings from Canadian cybersecurity firm eSentire, which reported a similar campaign in July 2024. That campaign used fake Google Chrome installers to propagate Gh0st RAT via a dropper named Gh0stGambit.