New Dual-Payload Malware Campaign Delivers Gh0st RAT and CloverPlus Adware
Key Takeaways A new, sophisticated malware campaign simultaneously deploys the Gh0st Remote Access Trojan (RAT) and CloverPlus Adware through a single, obfuscated loader. The dual-payload strategy...
Key Takeaways
- A new, sophisticated malware campaign simultaneously deploys the Gh0st Remote Access Trojan (RAT) and CloverPlus Adware through a single, obfuscated loader.
- The dual-payload strategy allows attackers to gain persistent system control for data theft and keystroke logging, while also monetizing infected machines through aggressive advertising.
- The loader employs obfuscation and leverages legitimate Windows processes (
rundll32.exe) to evade detection and establish high-privilege persistence via registry modifications and service hijacking. - Individuals and organizations are at risk of data compromise, browser disruption, and persistent system control, necessitating enhanced endpoint monitoring and updated detection rules.
Dual-Payload Campaign Delivers Gh0st RAT and CloverPlus Adware
Cybersecurity researchers are sounding the alarm over a newly identified malware campaign that deploys a formidable dual threat: the Gh0st Remote Access Trojan (RAT) and the CloverPlus Adware. This campaign leverages a single, highly obfuscated loader to simultaneously compromise target systems, providing attackers with both long-term control and immediate financial gain.
Table Of Content
This combination is particularly noteworthy for its strategic efficiency. Gh0st RAT is a well-established tool granting adversaries extensive control over compromised systems, enabling data exfiltration, remote execution, and surveillance. Complementing this, CloverPlus adware aggressively modifies browser settings, installs unwanted advertising components, and generates disruptive pop-up ads, directly monetizing the infection.
The simultaneous deployment of these distinct malware types signifies an evolving trend towards multi-payload delivery. This approach maximizes the attacker’s return from a single successful infection, securing a persistent backdoor for ongoing access while also generating revenue through ad fraud.
Splunk Researchers Uncover Stealthy Loader
The Splunk Threat Research Team (STRT) identified this specific loader after observing its behavior across multiple compromised hosts. Researchers noted that the loader employs sophisticated obfuscation techniques, embedding both encrypted payloads within its resource section to bypass conventional security defenses. The team meticulously mapped the malware’s comprehensive behavior against the MITRE ATT&CK framework, documenting every tactic and technique utilized during its execution.
The campaign’s design highlights a clear shift in threat actor methodologies, emphasizing efficiency in malware deployment. Instead of relying on single-purpose tools, this loader delivers a comprehensive package designed for both system compromise and ad fraud. Security teams globally are urged to enhance their endpoint monitoring capabilities and update detection rules to counter such bundled attack vectors.
The implications for individuals and organizations are significant. The adware component disrupts browser functionality and exposes users to potentially malicious advertisements, while the Gh0st RAT payload is capable of stealing sensitive data, logging keystrokes, blocking access to critical security websites, and establishing persistent, privileged access to the infected system.
Inside the Loader: How Both Payloads Are Dropped and Executed
The loader at the core of this campaign is engineered for stealth. It initially harbors two encrypted payloads within its resource section. The first payload to be extracted and executed is the CloverPlus adware module, officially identified as AdWare.Win32.CloverPlus. This component, associated with an executable named wiseman.exe, is responsible for altering browser startup pages and injecting intrusive pop-up advertisements.
Following the adware’s deployment, the loader verifies its own file path. If not located within the system’s %temp% folder, it drops a copy of itself there. Subsequently, it proceeds to decrypt the Gh0st RAT client module, which is stored as an encrypted resource in the malware binary’s RSRC section. After decryption, the malware generates a random filename and saves the decoded DLL to a randomly named folder at the root of the C: drive.

The decrypted DLL is then executed using the legitimate Windows application rundll32.exe. This technique enables the malware to run its malicious code under a trusted system process, significantly reducing the likelihood of triggering standard security alerts. Upon activation, Gh0st RAT initiates information gathering, collecting the machine’s MAC address and hardware drive serial number to uniquely identify the compromised host within the attacker’s command-and-control (C2) infrastructure.
For persistence, Gh0st RAT employs multiple methods. It writes itself to the Windows Run registry key and also registers a malicious DLL as part of the Windows Remote Access service under SYSTEMCurrentControlSetServicesRemoteAccessRouterManagersIp.

This grants the RAT SYSTEM-level privileges every time the service starts, circumventing the need for user interaction.
What You Should Do
- Enhance Endpoint Monitoring: Closely monitor for instances of
rundll32.exeloading non-standard file extensions or executing from unusual directories, particularly the%temp%folder. - Implement Registry Monitoring: Configure alerts for any modifications to Windows Run registry keys and paths associated with critical services like Remote Access.
- Detect Evasion Techniques: Watch for ping-based execution delays, a common sandbox evasion tactic employed by this malware.
- Analyze Network Traffic: Monitor for DNS traffic anomalies and unexpected alterations to the system’s hosts file, which can indicate an active Gh0st RAT infection.
- Update Detection Rules: Ensure endpoint detection and response (EDR) rules are current and aligned with MITRE ATT&CK techniques, specifically T1134 (Access Token Manipulation), T1033 (System Owner/User Discovery), T1070.004 (Indicator Removal: File Deletion), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1021 (Remote Services), T1543.003 (Create or Modify System Process: Windows Service), T1056.001 (Input Capture: Keylogging), and T1071.004 (Application Layer Protocol: DNS).
- Educate Users: Provide ongoing training to users on recognizing phishing attempts and malicious downloads, which are common initial infection vectors for such campaigns.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.