Dual-Payload Malware Campaign

A newly uncovered malware campaign is drawing significant attention within the cybersecurity community due to its ability to deploy two distinct threats simultaneously. A single obfuscated loader is used to deliver both the Gh0st RAT and CloverPlus onto the same compromised system.

This combination is both uncommon and highly strategic. Gh0st RAT enables full remote control over the infected machine, while CloverPlus focuses on manipulating browser activity, injecting advertising components, and generating revenue through intrusive pop-ups. The dual deployment allows threat actors to maintain persistent unauthorized access while monetizing the infection in real time.

This campaign highlights a growing trend toward multi-payload delivery, where attackers maximize operational efficiency and financial return from a single compromise.

Obfuscation Tactics: Concealing the Payload

The loader at the core of this campaign is engineered for stealth. It embeds two encrypted payloads within its resource section, using obfuscation techniques to evade traditional detection mechanisms.

Execution begins with the CloverPlus adware module, identified as AdWare.Win32.CloverPlus and associated with an executable named wiseman.exe. This component modifies browser startup settings and injects persistent pop-up advertisements.

Following this, the loader evaluates its execution path. If it is not operating from the system’s %temp% directory, it creates a copy of itself there before proceeding. The next stage involves decrypting the Gh0st RAT client module, which is also hidden as an encrypted resource within the malware binary.

Once decrypted, the malware assigns a random filename to the payload and stores it in a randomly named folder located at the root of the C:\ drive, further complicating detection and analysis.

Living Off the Land: Trusted Tools, Malicious Intent

To execute the decrypted payload, the malware leverages the legitimate Windows utility rundll32.exe. This approach enables malicious code execution under the guise of a trusted system process, significantly reducing the likelihood of triggering security defenses.

Once active, Gh0st RAT begins profiling the compromised system by collecting unique identifiers such as the MAC address and hard drive serial number. These details are used to register the victim within the attacker’s command-and-control infrastructure, ensuring precise tracking and management of infected hosts.

Persistence Mechanisms: Ensuring Long-Term Access

Maintaining access after system reboots is a key objective of this campaign. Gh0st RAT achieves persistence through multiple techniques embedded deep within the operating system:

Modification of the Windows Run registry key to ensure automatic execution at startup
Registration of a malicious DLL within the Remote Access service path under SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip

These methods grant the malware SYSTEM-level privileges whenever the associated service is launched, eliminating the need for further user interaction and reinforcing long-term control.

Detection and Defense: Indicators of Compromise

The impact of this campaign is considerable for both individuals and organizations. While the adware component disrupts browser functionality and increases exposure to malicious advertising, the RAT component enables data theft, keystroke logging, security bypassing, and persistent privileged access.

Security teams should remain vigilant and monitor for the following indicators of compromise:

• Execution of rundll32.exe loading DLLs or non-standard file extensions from unusual or suspicious directories
• Process activity originating from the %temp% folder
• Unauthorized modifications to registry Run keys or RemoteAccess service configurations
• Use of ping-based delays to evade sandbox detection
• Abnormal DNS traffic patterns and unexpected changes to the system hosts file

Proactive monitoring and rapid response to these signals are critical to mitigating the risks posed by this sophisticated dual-threat malware campaign.