GHOSTFORM RAT
GHOSTFORM is a .NET-based remote access trojan (RAT) designed to combine several malicious capabilities into a single executable binary. The malware executes PowerShell scripts directly in memory, reducing the likelihood of detection by traditional security tools. To further evade security mechanisms, it uses techniques such as invisible Windows forms and delayed execution timers. Because of its stealthy behavior and extensive capabilities, any detection of GHOSTFORM should trigger immediate removal and incident response procedures.
Table of Contents
Attack Chain One: Multi-Stage Malware Deployment
The first attack chain begins with the delivery of a password-protected RAR archive containing a fake application designed to resemble WinRAR. When the victim opens the archive, a dropper known as SPLITDROP is executed. This dropper installs two additional malware components: TWINTASK and TWINTALK.
SPLITDROP initially requests a password from the victim in order to extract a hidden archive. If the archive is already present on the system, execution stops. Otherwise, the dropper decrypts an embedded payload in the background while displaying a deceptive error message to the user. The decrypted content is stored in the directory' C:\ProgramData\PolGuid,' after which a legitimate executable named VLC.exe is launched to advance the attack.
Once executed, VLC.exe loads a malicious dynamic link library called TWINTASK through DLL sideloading. This component waits for instructions from the attacker and executes them using PowerShell. Several commands are specifically used to establish persistence within the system and initiate the next stage of the compromise. As part of this process, a script launches WingetUI.exe and creates registry entries ensuring that both VLC.exe and WingetUI.exe automatically run whenever the system restarts.
TWINTALK and TWINTASK: Coordinated Command Execution
When WingetUI.exe is executed, it loads another malicious module known as TWINTALK. This component connects to the attacker's command-and-control server and retrieves instructions. TWINTALK works together with TWINTASK to execute commands on the compromised machine.
TWINTALK supports three primary command categories:
- Command execution on the infected device
- File download from the attacker's infrastructure
- File upload from the compromised system to the attacker
Through these capabilities, attackers gain extensive control over the infected environment.
Attack Chain Two: Direct GHOSTFORM Execution
The second attack chain uses GHOSTFORM itself to perform all the functions handled by multiple components in the first chain. Instead of deploying several files or relying on DLL sideloading, this variant executes PowerShell commands directly in memory.
To remain undetected, the malware creates an invisible Windows form that delays execution before the payload runs. In addition, the campaign uses Google Forms as part of a social engineering lure to encourage victims to initiate the malicious activity.
Evasion and Persistence Techniques
GHOSTFORM incorporates multiple mechanisms designed to reduce detection and maintain long-term access to compromised systems. The malware deliberately delays its activity by generating an almost invisible Windows form that runs a timer with a randomly determined delay before continuing execution.
It also creates a mutex to ensure that only one instance of the malware runs on the system and generates a unique bot identifier for tracking infected machines. Remote access trojans of this type are commonly used to deploy additional payloads, steal sensitive data and files, or perform other malicious operations within the victim environment.
Key capabilities commonly associated with the campaign include:
- Deployment of additional malware payloads
- Theft of information and files from infected devices
- Remote command execution through PowerShell
- Long-term persistence within compromised systems
ClickFix Social Engineering: Human-Focused Infection Vector
The campaign does not rely solely on malware delivery. It also incorporates a social engineering technique known as ClickFix to compromise systems. Attackers create convincing fake web pages designed to manipulate users into executing malicious commands.
Examples include spoofed Cisco Webex meeting invitations or fraudulent web forms that appear legitimate. Victims are instructed to run commands that automatically download and execute malware, unknowingly initiating the compromise.
Blending Malware and Deception
This campaign demonstrates a coordinated approach that combines technical malware deployment with psychological manipulation. Attackers distribute malicious files disguised as harmless programs resembling WinRAR utilities. When opened, the files inject hidden malware components into the operating system.
Once installed, one of the components runs silently in the background, periodically checking the attacker's server for encrypted instructions and executing them through PowerShell. In parallel, ClickFix-style attacks rely on fake surveys, deceptive meeting invitations, or fraudulent online forms to persuade users to execute commands that trigger malware downloads.
By combining advanced malware tools such as TWINTASK, TWINTALK, and GHOSTFORM with carefully crafted social engineering techniques, threat actors significantly increase the success rate of system compromise and maintain persistent remote control over infected devices.
