Hybrid Threat Analysis: Dual-Payload Campaign Bundling Gh0st RAT with CloverPlus Adware
A sophisticated new malware campaign has surfaced, utilizing a multi-stage delivery mechanism that bundles a high-impact Remote Access Trojan (RAT) with intrusive adware. This dual-purpose approach allows threat actors to achieve two objectives simultaneously: immediate monetization through fraudulent advertising and long-term, persistent espionage via complete system control.
The infection chain begins with a specialized loader containing two distinct, encrypted payloads embedded within its resource section. The first payload is identified as AdWare.Win32.CloverPlus. Upon execution, this component aggressively alters browser startup settings and triggers unsolicited pop-ups to hijack user traffic and generate illicit click revenue.
While the adware handles the “quick win” monetization, the loader concurrently prepares a second, more dangerous payload: a Gh0st RAT client DLL. This secondary payload provides the attackers with a robust backdoor into the victim’s environment.
To evade rudimentary path-based security heuristics, the loader performs an environmental check to see if it is currently running from the %temp% directory. If the execution path does not match, the loader moves its own binary to the temporary folder before proceeding to decrypt the Gh0st RAT DLL from the RSRC section. This campaign, recently dissected by the Splunk Threat Research Team (STRT), highlights a growing trend in defense evasion focusing on stealth and persistence.

Once decrypted, the DLL is written to a randomly named subdirectory within the C:\ root. The malware then leverages rundll32.exe to execute the payload—a classic Living-off-the-Land (LotL) technique designed to blend malicious execution into legitimate Windows processes.
Gh0st RAT: Stealth, Network Discovery, and DNS Hijacking
The Gh0st RAT variant employs advanced privilege escalation to expand its reach. By utilizing access token manipulation (ATT&CK T1134), the malware enables SeDebugPrivilege, granting it the ability to interact with and scrape memory from other running processes—a critical step for credential harvesting.

For reconnaissance, the RAT performs extensive user and network discovery (T1018). It specifically identifies processes handling DNS traffic on port 53 by calling GetExtendedUdpTable(). Once identified, the malware can terminate these processes and replace them with its own, enabling seamless DNS hijacking.
To maintain a low profile, the malware implements indicator removal via file deletion (T1070.004), scrubbing its traces after the initial infection. Furthermore, it employs anti-analysis checks by inspecting the registry key HKEY_CLASSES_ROOT\Applications\VMwareHostOpen.exe; if a virtual machine is detected, it shifts its behavior to avoid sandbox detection.
In virtualized environments, the malware utilizes a “dead drop resolver” routine (T1102.001). Instead of contacting a known malicious IP, it reaches out to a seemingly benign Sina blog URL and parses the HTML <title> tag to decode its true Command-and-Control (C2) address. This cleverly masks the C2 infrastructure behind legitimate web content.
To bypass automated sandbox analysis, the malware also uses a “ping-based sleep” technique (T1678). By calling ping.exe with the -n parameter, it creates a calculated delay, ensuring that the sandbox’s monitoring window expires before the malicious payload truly activates.

Perhaps most impressively, the RAT manipulates application-layer DNS communications (T1071.004) to blind security software. It inspects DNS queries for strings related to antivirus vendors—such as “Alyac,” “Ahnlab,” or “V3lite”—and returns spoofed responses or errors. This prevents the endpoint protection from reaching its update servers or communicating with the cloud. Finally, it executes ipconfig /flushdns to ensure the poisoned DNS cache takes immediate effect.
System Profiling, Persistence, and High-Value Surveillance
The malware gathers deep hardware intelligence to assist in long-term campaign tracking. By using Netbios() NCBASTAT calls and SMART_RCV_DRIVE_DATA IOCTL requests, it extracts MAC addresses and physical disk serial numbers, creating a unique fingerprint for every infected host.

Persistence is deeply integrated into the Windows architecture. The RAT targets standard Windows Run keys (T1547.001) and abuses the Windows Remote Access service configuration under SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip. This allows the malware to load its DLL with SYSTEM level privileges, effectively hiding its execution within a core OS service.
Furthermore, the RAT actively monitors mstsc.exe (Remote Desktop) sessions. By leveraging GetKeyState() and GetAsyncKeyState(), it implements highly targeted keylogging (T1056.001) during RDP sessions. This allows attackers to harvest high-value administrative credentials, facilitating lateral movement within enterprise networks.
Defensive Strategies and Detection
To combat this dual-threat campaign, STRT has released specialized analytic content designed for the Splunk platform. Defenders should look for the following high-fidelity signals:
- Abnormal rundll32.exe behavior: Execution involving non-standard file extensions.
- Suspicious Shell activity: Use of
ping.exewith specific parameters to create execution delays. - Persistence Triggers: New or modified entries in the Windows Run keys and the
RemoteAccess\RouterManagers\Ipregistry path. - Environmental Anomalies: Execution of processes originating from the
%temp%directory.
By correlating endpoint, process, registry, and DNS telemetry, security operations centers (SOCs) can transition from reactive cleanup to proactive threat hunting, effectively disrupting both the immediate revenue-driven adware and the long-term Gh0st RAT backdoor before they can compromise the core of the network.