Gh0St

Category: rat · Aliases: None known · Sample count (EMBER 2018): 4 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

Gh0st RAT is a long-standing, modular Remote Access Trojan (RAT) that has been active since at least 2008. Because its source code is publicly available, numerous threat actors have modified and deployed it, making it a persistent and frequently encountered threat. Gh0st RAT provides attackers with full, interactive control over an infected system, including remote desktop access, keystroke logging, webcam/microphone hijacking, and file management. Modern campaigns often deliver Gh0st RAT through sophisticated methods like fake installers, spam emails, and malicious loaders, using techniques like DLL sideloading to bypass security controls.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_GH0ST {
    meta:
        description = "Detects Gh0St (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "gh0st" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Gh0St Activity
id: e9679963a2c22de9032e8000338997dc
status: experimental
description: Detects generic indicators of the gh0st malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*gh0st*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Gh0st RAT?

Gh0st RAT is a widely distributed Remote Access Trojan that allows attackers to take full control over a victim's computer, including screen sharing, keylogging, and file manipulation.

How is Gh0st RAT typically deployed?

It is commonly spread via spam and phishing emails, fake software installers, and malicious loaders that may bundle the RAT with other threats like adware.

Why is Gh0st RAT so common?

The original source code for Gh0st RAT was released publicly many years ago, allowing a wide variety of threat actors to easily modify, customize, and deploy their own versions of the malware.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/gh0st.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.