Digital Doppelgangers: Uncovering the Gh0st RAT Impersonation Campaigns Targeting Chinese Users (2025)

Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

Executive Summary

We have identified two interconnected malware campaigns active throughout 2025, using large-scale brand impersonation to deliver Gh0st remote access Trojan (RAT) variants to Chinese-speaking users. From the first campaign to the second, the adversary advanced from simple droppers to complex, multi-stage infection chains that misuse legitimate, signed software to bypass modern defenses.

This report provides a detailed breakdown of the campaigns' anatomy, offering new intelligence on the attackers' operational playbook. We analyze an initial campaign from February–March 2025 that mimicked three brands across over 2,000 domains and a more sophisticated campaign starting in May 2025 that impersonated over 40 applications. The impersonated software primarily includes widely used enterprise tools, secure messaging apps, gaming platforms and popular AI software.

By analyzing the evolution of the attack methods, infrastructure and targeting, we establish a clear operational playbook. Understanding the adversary’s adaptive tactics, techniques and procedures (TTPs), such as using cloud infrastructure for payload delivery and DLL side-loading for evasion, provides crucial insights for enhancing security postures.

Our analysis is based on data from Palo Alto Networks products, including Advanced URL Filtering and Advanced WildFire, which provided visibility into the malware's behavior and infection chains. This internal data was supplemented by passive DNS (pDNS) analysis and open-source intelligence. We provide organizations with indicators of compromise (IoCs) to mitigate against this threat.

Palo Alto Networks customers are better protected from this activity through the following products and services:

• Advanced WildFire (https://docs.paloaltonetworks.com/wildfire)
• Advanced URL Filtering (https://docs.paloaltonetworks.com/advanced-url-filtering/administration) and Advanced DNS Security (https://docs.paloaltonetworks.com/dns-security)
• Advanced Threat Prevention (https://docs.paloaltonetworks.com/advanced-threat-prevention/administration)
• Cortex XDR (https://docs-cortex.paloaltonetworks.com/p/XDR) and XSIAM (https://docs-cortex.paloaltonetworks.com/p/XSIAM)
• Cortex Cloud DSPM (https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management)

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team (https://start.paloaltonetworks.com/contact-unit42.html).

Related Unit 42 Topics Gh0st RAT (https://unit42.paloaltonetworks.com/tag/gh0st-rat/), Cybercrime (https://unit42.paloaltonetworks.com/category/cybercrime)

The Rise of Impersonation at Scale: A Persistent Threat to Chinese-Speaking Users

In recent years, malware campaigns specifically tailored to target Chinese-speaking users globally have emerged as a notable trend in the threat landscape. These operations demonstrate a complex understanding of the target demographic's digital ecosystem and online behaviors.

The lures used are often not generic. Instead, attackers carefully select them to appeal to this specific audience. Attackers frequently impersonate the following types of applications:

• Software that is widely popular within the community (e.g., Youdao dictionary or Sogou browser)
• Tools used to circumvent state-imposed internet restrictions (e.g., VPNs and encrypted messaging applications)

How would potential victims find these malicious sites impersonating legitimate software? Attackers have a variety of options. They could generate traffic to these sites through malicious online ads or search engine poisoning. Attackers can also post on social media and other online forums to promote these sites. Email is another vector for leading potential victims to these sites.

The choice to target people seeking tools to bypass censorship is particularly strategic. This suggests an adversary who is interested in people already attempting to operate outside of easily monitored channels, making them prime targets for surveillance or espionage.

The final payload in these campaigns is often a RAT that grants the attacker comprehensive control over a compromised system. The Gh0st RAT and its many variants are a prominent choice, particularly for Chinese-nexus cybercrime and espionage actors who have used these tools for over a decade.

Anatomy of the First Campaign: Campaign Trio

We refer to this initial activity as Campaign Trio due to its impersonation of three distinct software brands. Active from February–March 2025, this phase established a baseline operational model of the adversary. This campaign involved a massive number of domains, used an aggressive approach to infrastructure deployment and a clear, focused targeting strategy.

The malware distribution strategy of this campaign relied on a vast network of malicious websites that convincingly mimicked legitimate software download portals to lure victims.

Mass Domain Registration

Between February and March 2025, attackers registered over 2,000 domains, with significant surges in activity in early February and early March. Attackers appear to have automated their domain registration, typically combining the impersonated brand name with a random-looking alphanumeric suffix and using TLDs like .top or .vip.

The entire network of over 2,000 domains was hosted on just three IP addresses:

• 154.82.84[.]227
• 156.251.25[.]43
• 156.251.25[.]112

This high-volume domain approach is designed to persist in the face of reputation-based blocking systems. It also ensures that even if some domains are taken down, many other domains remain available.

Figure 1 shows a sample attack infrastructure of Campaign Trio including the following info:

• Three clusters of brand impersonating domains
• Their association with web server IP addresses
• An additional server hosting the malware for downloading

This centralized model, with over 2,000 domains resolving to just three IP addresses, suggests that attackers viewed components of the infrastructure as disposable. This also implies an aggressive approach to infrastructure deployment that allows the attackers to rapidly establish new websites.

Targeted Impersonation

The choice of impersonated brands for this campaign reveals a deliberate targeting strategy:

• i4tools: With over 1,400 domains, this was the most impersonated brand. This is Chinese-language, multi-function software for managing and transferring files to and from Apple-based mobile devices.
• Youdao: Attackers created over 600 domains to impersonate this popular Chinese dictionary and translation application, strongly indicating a focus on Chinese-speaking users.
• DeepSeek: We identified only five domains. The impersonation of this AI company demonstrates the attackers' interest in capitalizing on current technology trends.

The landing pages hosted on these domains closely mimicked the legitimate sites to deceive victims into downloading the trojanized software installers shown in Figures 2, 3 and 4.

Execution and Payload Delivery: A Centralized Model

Webpages from over 2,000 domains served their malicious payloads from a single source: hxxps[:]//xiazailianjieoss[.]com.

This domain hosted ZIP archives containing the trojanized installers. The downloaded archives contained either a malicious Microsoft Installer (MSI) file or a standalone executable. The MSI installers used a custom action to execute a secondary, smaller executable, separating the malicious logic from the main installer to bypass static analysis.

Final Payload: The Gh0st RAT

MSI-based malware delivery can include a substantial variety of actions also typically executed by benign MSI files. This allows malicious actions to hide within the many legitimate operations generated by an attacker's MSI file.

Figure 5 illustrates this concept in action. It shows a malicious MSI sample from Campaign Trio running the embedded malware within the MSI package. Using Microsoft's Orca (https://learn.microsoft.com/en-us/windows/win32/msi/orca-exe) tool, we can search the malicious MSI file's custom actions for anything suspicious. Running the malicious executable is one of 43 custom actions, not including all the normal actions and processes generated by an MSI file.

The MSI file in Figure 5 employs a seemingly legitimate graphical user interface (GUI) for its installation procedure. The Orca tool reveals the MSI file's custom action table, where we've highlighted the malicious action run in the background during the installation. In this instance, the custom action LaunchApplication executes the second-stage malware, a 1.7 MB executable named [System Process]5.exe.

Primary functions of [System Process]5.exe are to:

• Download an obfuscated binary from a staging server
• Decode the binary and
• Run it

The obfuscated binary was hosted on URLs from fs-im-kefu.7moor-fs1[.]com, a malware distribution point linked to previous Gh0st RAT activity (https://dti.domaintools.com/chinese-malware-delivery-websites/).

The deobfuscated binary is the final payload. We identified this final payload as Gh0st RAT, which provides attackers with the following capabilities:

• Logging keystrokes
• Capturing screenshots
• Remote shell access
• Downloading additional malware

These Gh0st RAT samples create scheduled tasks for persistence and use powershell.exe to add exclusions in Windows Defender, so they can run undetected. Once active, these Gh0st RAT samples establish command and control (C2) communication via encrypted TCP traffic over port 8080 to servers with domains like xiaobaituziha[.]com, which resolved to 103.181.134[.]138.

Anatomy of the Second Campaign: Campaign Chorus

We refer to the second campaign as Campaign Chorus because attackers expanded their lures to impersonate over 40 different software applications. Launched in May 2025, this campaign built upon the foundation of the first and showed a significant expansion in targeting. Its TTPs evolved to enhance evasion and bypass security controls.

Expanded Targeting, Refined TTPs

While maintaining a focus on Chinese-speaking users, attackers broadened their lure selection to maximize their potential targets. The attackers organized Campaign Chorus in a more structured manner.

Broader Scope and Wave-Based Attacks

In Campaign Chorus, attackers impersonated widely used enterprise messaging software, Chinese versions of secure messaging apps and popular gaming platforms. They also continued targeting software popular with Chinese speakers, such as QQ Music and Sogou browser. This indicates a strategy to reach a wider demographic of Chinese speakers.

Figure 6 shows examples of impersonated applications from this campaign.

This campaign was initially executed in two distinct waves, distinguished by domain naming conventions and registration dates:

• Wave 1 (registered May 15, 2025): This wave consisted of 40 domains, all beginning with the prefix guwaanzh
• Wave 2 (registered May 26–28, 2025): This wave included 51 domains, all starting with the prefix xiazaizhadia

The use of structured, wave-based attacks with different domain prefixes and corresponding redirection servers (djbzdhygj[.]com for Wave 1 and yqmqhjgn[.]com for Wave 2) suggests a more organized and possibly experimental approach. The attackers could have been testing the effectiveness of different lures or attempting to compartmentalize their infrastructure to make it more resilient to tak