Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical GhostLock Vulnerability in Linux Kernel Lets Attackers Escalate Privileges
July 8, 2026
OpenAI Secures US Government Clearance for GPT-5.6 Launch
July 8, 2026
Anthropic Extends Free Claude 3 Opus Access on All Paid Plans
July 8, 2026
Home/Threats/New Dual-Payload Malware Campaign Delivers Gh0st RAT and CloverPlus Adware
Threats

New Dual-Payload Malware Campaign Delivers Gh0st RAT and CloverPlus Adware

Key Takeaways A new, sophisticated malware campaign simultaneously deploys the Gh0st Remote Access Trojan (RAT) and CloverPlus Adware through a single, obfuscated loader. The dual-payload strategy...

Marcus Rodriguez
Marcus Rodriguez
April 20, 2026 4 Min Read
42 0

Key Takeaways

  • A new, sophisticated malware campaign simultaneously deploys the Gh0st Remote Access Trojan (RAT) and CloverPlus Adware through a single, obfuscated loader.
  • The dual-payload strategy allows attackers to gain persistent system control for data theft and keystroke logging, while also monetizing infected machines through aggressive advertising.
  • The loader employs obfuscation and leverages legitimate Windows processes (rundll32.exe) to evade detection and establish high-privilege persistence via registry modifications and service hijacking.
  • Individuals and organizations are at risk of data compromise, browser disruption, and persistent system control, necessitating enhanced endpoint monitoring and updated detection rules.

Dual-Payload Campaign Delivers Gh0st RAT and CloverPlus Adware

Cybersecurity researchers are sounding the alarm over a newly identified malware campaign that deploys a formidable dual threat: the Gh0st Remote Access Trojan (RAT) and the CloverPlus Adware. This campaign leverages a single, highly obfuscated loader to simultaneously compromise target systems, providing attackers with both long-term control and immediate financial gain.

Table Of Content

  • Key Takeaways
  • Dual-Payload Campaign Delivers Gh0st RAT and CloverPlus Adware
  • Splunk Researchers Uncover Stealthy Loader
  • Inside the Loader: How Both Payloads Are Dropped and Executed
  • What You Should Do

This combination is particularly noteworthy for its strategic efficiency. Gh0st RAT is a well-established tool granting adversaries extensive control over compromised systems, enabling data exfiltration, remote execution, and surveillance. Complementing this, CloverPlus adware aggressively modifies browser settings, installs unwanted advertising components, and generates disruptive pop-up ads, directly monetizing the infection.

The simultaneous deployment of these distinct malware types signifies an evolving trend towards multi-payload delivery. This approach maximizes the attacker’s return from a single successful infection, securing a persistent backdoor for ongoing access while also generating revenue through ad fraud.

Splunk Researchers Uncover Stealthy Loader

The Splunk Threat Research Team (STRT) identified this specific loader after observing its behavior across multiple compromised hosts. Researchers noted that the loader employs sophisticated obfuscation techniques, embedding both encrypted payloads within its resource section to bypass conventional security defenses. The team meticulously mapped the malware’s comprehensive behavior against the MITRE ATT&CK framework, documenting every tactic and technique utilized during its execution.

The campaign’s design highlights a clear shift in threat actor methodologies, emphasizing efficiency in malware deployment. Instead of relying on single-purpose tools, this loader delivers a comprehensive package designed for both system compromise and ad fraud. Security teams globally are urged to enhance their endpoint monitoring capabilities and update detection rules to counter such bundled attack vectors.

The implications for individuals and organizations are significant. The adware component disrupts browser functionality and exposes users to potentially malicious advertisements, while the Gh0st RAT payload is capable of stealing sensitive data, logging keystrokes, blocking access to critical security websites, and establishing persistent, privileged access to the infected system.

Inside the Loader: How Both Payloads Are Dropped and Executed

The loader at the core of this campaign is engineered for stealth. It initially harbors two encrypted payloads within its resource section. The first payload to be extracted and executed is the CloverPlus adware module, officially identified as AdWare.Win32.CloverPlus. This component, associated with an executable named wiseman.exe, is responsible for altering browser startup pages and injecting intrusive pop-up advertisements.

Following the adware’s deployment, the loader verifies its own file path. If not located within the system’s %temp% folder, it drops a copy of itself there. Subsequently, it proceeds to decrypt the Gh0st RAT client module, which is stored as an encrypted resource in the malware binary’s RSRC section. After decryption, the malware generates a random filename and saves the decoded DLL to a randomly named folder at the root of the C: drive.

The Decryption and Execution of Gh0st RAT Payload (Source - Splunk)
The Decryption and Execution of Gh0st RAT Payload (Source – Splunk)

The decrypted DLL is then executed using the legitimate Windows application rundll32.exe. This technique enables the malware to run its malicious code under a trusted system process, significantly reducing the likelihood of triggering standard security alerts. Upon activation, Gh0st RAT initiates information gathering, collecting the machine’s MAC address and hardware drive serial number to uniquely identify the compromised host within the attacker’s command-and-control (C2) infrastructure.

For persistence, Gh0st RAT employs multiple methods. It writes itself to the Windows Run registry key and also registers a malicious DLL as part of the Windows Remote Access service under SYSTEMCurrentControlSetServicesRemoteAccessRouterManagersIp.

Remote Services Persistence (Source - Splunk)
Remote Services Persistence (Source – Splunk)

This grants the RAT SYSTEM-level privileges every time the service starts, circumventing the need for user interaction.

What You Should Do

  • Enhance Endpoint Monitoring: Closely monitor for instances of rundll32.exe loading non-standard file extensions or executing from unusual directories, particularly the %temp% folder.
  • Implement Registry Monitoring: Configure alerts for any modifications to Windows Run registry keys and paths associated with critical services like Remote Access.
  • Detect Evasion Techniques: Watch for ping-based execution delays, a common sandbox evasion tactic employed by this malware.
  • Analyze Network Traffic: Monitor for DNS traffic anomalies and unexpected alterations to the system’s hosts file, which can indicate an active Gh0st RAT infection.
  • Update Detection Rules: Ensure endpoint detection and response (EDR) rules are current and aligned with MITRE ATT&CK techniques, specifically T1134 (Access Token Manipulation), T1033 (System Owner/User Discovery), T1070.004 (Indicator Removal: File Deletion), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1021 (Remote Services), T1543.003 (Create or Modify System Process: Windows Service), T1056.001 (Input Capture: Keylogging), and T1071.004 (Application Layer Protocol: DNS).
  • Educate Users: Provide ongoing training to users on recognizing phishing attempts and malicious downloads, which are common initial infection vectors for such campaigns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

North Korean UNC1069 APT Hacks Crypto Pros With Fake Zoom, Teams Meetings

Next Post

Critical Intel Driver Vulnerability (CVE-2023-23363) Lets Attackers Launch Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Critical RCE Vulnerabilities in Microsoft Exchange Servers Expose 2,259 Orgs
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us