Google has discovered a sophisticated malware operation that is using PLAYFULGHOST, an advanced backdoor known to steal confidential data. Google’s Managed Defence team discovered the malware, with further analysis conducted by Mandiant. PLAYFULGHOST targets unsuspecting users and spreads through phishing emails, SEO poisoning, and trojanised VPN applications.
Attackers can remotely carry out a variety of tasks on compromised devices using PLAYFULGHOST. Its data-mining features include keylogging, screenshot and audio capture, and file management tasks including creating, removing, and modifying files.
The Google team has released a comprehensive technical report that clarifies the malware’s operation and points out how it reflects the infamous Gh0st RAT, a remote administration tool whose source code was made public in 2008. Attackers use SEO poisoning techniques to hide the malware inside well-known VPN applications and other reliable apps, therefore increasing its reach.
According to experts:
The malware is bundled with popular applications, like LetsVPN, and distributed through SEO poisoning. This involves manipulating search engine results to make the bundled software appear at the top of searches, making it seem like a legitimate download.
How PLAYFULGHOST Spreads and Operates?
PLAYFULGHOST uses SEO poisoning and phishing emails to gain initial access. Attackers send phishing emails that masquerade as legitimate notifications, such as codes of conduct, or distribute trojanised VPN software like LetsVPN.
Images from company accounts or the platform itself are often delivered via QQ, a popular messaging and web-browsing app. Because of this pattern, attackers can more easily trick users into downloading malicious files. When the archive is opened, a malicious Windows executable is launched, which causes PLAYFULGHOST to download and run on the victim’s device.
Attackers use SEO poisoning in addition to phishing to spread trojanised versions of trustworthy VPN applications, such as LetsVPN. They trick users into installing these malicious apps by manipulating with search engine results. Once installed, these applications compromise the victim’s device by retrieving and running PLAYFULGHOST components from remote servers.
Another technique involves the use of SEO poisoning by attackers to advertise fake VPN applications, which causes users to mistakenly download malicious software from remote servers.
PLAYFULGHOST employs complex methods like DLL search order hijacking and side-loading, making it dangerous. These methods allow the malware to load a malicious DLL, which decrypts and runs the malware in memory.
In advanced scenarios, PLAYFULGHOST uses a Windows shortcut file (“QQLaunch.lnk”) to combine two files (“h” and “t”) into a rogue DLL. Attackers then use a modified version of curl.exe to sideload this DLL, significantly complicating detection and mitigation efforts.
In addition, PlayfulGhost has advanced features allowing it to deploy more payloads, disable keyboard and mouse inputs, clear Windows event logs, wipe clipboard data, manage file operations, and remove web browser caches and profiles from programs like Sogou, QQ, 360 Safety, Firefox, and Google Chrome. Furthermore, It can also delete local storage and profiles for chat apps like QQ, Telegram, and Skype.
Targeting applications like Sogou, QQ, and 360 Safety, alongside using LetsVPN as bait, highlights a focus on Chinese-speaking Windows users. This follows an identical campaign from July 2024 that was discovered by eSentire, in which hackers used fake Google Chrome installations to spread the Gh0st RAT using a dropper called Gh0stGambit.
This sophisticated attack, which combines phishing, SEO poisoning, and trojanised VPN apps, poses a serious threat to affected users by collecting information, establishing persistence, and deploying additional malicious applications.
It is important to take fundamental measures to protect an individual against malware such as Gh0st RAT. Knowing how attackers attempt to trick you into installing malicious software without your knowledge is one of the most effective methods to keep safe. In this case, the risk landscape includes downloading software from unreliable sources, phishing attempts, and malvertising.
Never click on links in unexpected emails, texts, or messages to avoid falling for these tricks. Rather, always type the company’s address into the address bar of your browser to go straight to their website, then log in. Attackers often use subtle misspellings, such as replacing “o” with “0,” to deceive users. Performing these checks can help you avoid falling victim to such traps.
The most effective training, notably that on how to detect scams is provided by Phishing Tackle. Start your two-week free trial of Phishing Tackle security awareness training now to help your employees.
