Listen to this Post

Introduction
Cybercrime operations are becoming increasingly complex, with attackers no longer relying on single-purpose malware. Instead, they are shifting toward multi-layered infection chains that combine espionage tools with monetization engines. A recent analysis by the Splunk Threat Research Team (STRT) highlights this evolution through a campaign that deploys both the Gh0st Remote Access Trojan (RAT) and CloverPlus adware. This dual approach demonstrates how modern threat actors aim to maintain long-term access to compromised systems while simultaneously generating immediate financial profit.
Summary of the Original
The Splunk Threat Research Team uncovered a sophisticated malware campaign that uses a multi-payload loader to deploy two different malicious components: the Gh0st RAT and CloverPlus adware. This combination allows attackers to achieve both persistent system control and rapid financial gain through advertising fraud.
The infection begins with an obfuscated loader designed to evade detection mechanisms. This loader extracts two encrypted payloads embedded in its resource section. The first payload, CloverPlus adware, modifies browser settings such as homepage configuration and injects intrusive advertisements to generate revenue through user interactions.
After deploying the adware, the loader checks the system’s %temp% directory to determine its execution state. If not found, it replicates itself before decrypting the second payload, the Gh0st RAT client module, which is stored as an encrypted DLL file.
The malware saves this DLL in a randomly generated directory on the C:\ drive and executes it using rundll32.exe, a legitimate Windows utility often abused for stealth execution. This technique helps the malware blend into normal system activity and evade detection.
Once active, Gh0st RAT establishes multiple persistence mechanisms. It modifies Windows Registry Run keys to ensure automatic execution at startup, configures Remote Access services for elevated SYSTEM-level privileges, and installs itself as a Windows service for long-term persistence.
The malware also monitors Remote Desktop Protocol (RDP) sessions by tracking processes like mstsc.exe. It uses Windows APIs such as GetKeyState() to capture keystrokes, enabling credential theft and potential lateral movement across networks.
To mitigate this threat, STRT recommends monitoring unusual rundll32.exe executions, detecting suspicious registry modifications, identifying execution from temporary directories, and analyzing delayed execution patterns using ping-sleep commands.
What Undercode Say:
This campaign reflects a significant shift in cybercriminal strategy, where financial and espionage objectives are merged into a single infection chain. The use of dual payloads indicates that attackers are optimizing return on compromise rather than focusing on isolated outcomes.
The inclusion of CloverPlus adware shows that attackers are not only interested in stealthy access but also in immediate monetization through user behavior manipulation. This is a classic “profit-first” layer added on top of traditional intrusion tactics.
Gh0st RAT, on the other hand, continues to demonstrate why legacy malware families remain relevant. Its persistence mechanisms, combined with SYSTEM-level execution, make it a powerful tool for long-term compromise.
The abuse of legitimate Windows utilities such as rundll32.exe highlights the growing trend of “living-off-the-land” techniques, where attackers avoid introducing obvious malicious binaries into the system.
The loader’s ability to decrypt and stage multiple payloads suggests modular malware architecture, which allows attackers to swap or upgrade components without redesigning the entire infection chain.
Registry-based persistence remains one of the most reliable methods for attackers, despite years of defensive improvements, showing that foundational Windows mechanisms are still a weak point.
The monitoring of RDP sessions indicates a clear focus on enterprise environments, where remote access tools are widely used and often insufficiently secured.
Keylogging through native Windows APIs reduces detection probability, as it avoids reliance on external hooking frameworks or suspicious libraries.
The use of randomized filenames and directories is designed to break signature-based detection systems, forcing defenders to rely on behavioral analysis instead.
This campaign also illustrates how attackers blend nuisance-level malware (adware) with high-impact espionage tools, increasing both noise and stealth in the same environment.
The dual strategy ensures that even if one payload is detected and removed, the other may continue to operate, extending attacker presence.
Security teams must prioritize behavioral anomaly detection rather than static signatures to counter such evolving threats.
Monitoring %temp% execution paths is particularly important, as many loaders stage execution there before escalating privileges.
The campaign reinforces the idea that modern malware is no longer single-purpose but instead operates as a toolkit designed for multiple revenue streams.
Fact Checker Results
✔ The Gh0st RAT is a well-documented remote access trojan used in multiple cyber campaigns
✔ rundll32.exe is commonly abused by malware for stealth execution
✔ Multi-payload loaders are an established technique in modern cyberattacks
Prediction
Cybercriminal campaigns will increasingly combine adware, spyware, and ransomware in unified loaders, prioritizing modular design and financial diversification. Defensive strategies will shift further toward behavior-based detection, with greater emphasis on endpoint telemetry and real-time process analysis.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




