Silent but Dangerous: “GhostRAT Loader” Emerges as Stealth Malware Threat on February 20, 2026 — Quietly Infiltrating Enterprises and Harvesting Credentials Undetected

Aegiron 11 mins0

GhostRAT Loader

Campaign Observed: 20 February 2026

Executive Overview

On 20 February 2026, multiple organizations across financial services, logistics, healthcare, and managed service providers identified a stealth malware campaign now referred to as GhostRAT Loader.

This is not traditional ransomware or a noisy banking trojan. It is a stealth access loader designed to:

  • Establish quiet persistence
  • Blend into legitimate Windows processes
  • Fetch encrypted second-stage payloads
  • Enable credential theft and lateral movement
  • Prepare the environment for long-term access or future monetization

The defining characteristic of GhostRAT Loader is in-memory execution with minimal disk footprint, combined with process injection into trusted Windows binaries.

This write-up provides a full breakdown of:

  • What happened
  • How it happened
  • Initial infection vectors
  • Payload behavior
  • Vulnerabilities exploited (if any)
  • What was impacted
  • Full Indicators of Compromise (IOCs)
  • Detection & hunting guidance
  • Sample detection rules

What Happened

Organizations began observing:

  • Unusual outbound encrypted traffic
  • Explorer.exe initiating network sessions
  • Encoded PowerShell executions
  • Suspicious scheduled tasks
  • Unauthorized domain logins
  • LSASS memory access attempts

The common pattern across victims:

  1. A user opened a malicious attachment or executed a fake update.
  2. A PowerShell-based loader executed silently.
  3. A second-stage RAT was downloaded and injected into memory.
  4. Credentials were harvested.
  5. Attackers moved laterally inside the network.

There is no evidence of a widespread zero-day exploit. The campaign relies heavily on social engineering and weak access controls.

Initial Infection Vectors

1. Phishing (Primary Entry)

Observed lures:

  • Invoice ZIP attachments containing malicious .LNK
  • Fake HR policy updates
  • Shipping notifications
  • Tax documents

The LNK files executed hidden PowerShell commands that downloaded encrypted payloads.

2. Fake Software Updates

Users searching for:

  • Browser updates
  • Zoom installers
  • PDF readers

Were redirected to compromised sites serving trojanized installers embedding the loader.

3. Exposed RDP Services

In environments with:

  • No MFA
  • Weak credentials
  • Port 3389 exposed publicly

Attackers brute-forced RDP access and manually deployed the loader.

Was Any Vulnerability Exploited?

At this time:

  • No confirmed zero-day exploit
  • No specific CVE tied directly to this campaign

The breach primarily exploited:

  • Weak RDP configurations
  • Lack of MFA
  • User trust via phishing
  • Insufficient PowerShell monitoring

Technical Execution Flow

Stage 1 – Loader Execution

A hidden PowerShell process runs:

powershell.exe -w hidden -nop -enc <Base64 payload>

It retrieves an encrypted binary from a remote HTTPS server.

Stage 2 – In-Memory Decryption

  • AES-256 encrypted payload
  • Key derived from machine GUID + embedded seed
  • Decrypted fully in memory
  • Not written to disk

Stage 3 – Process Injection

Common injection targets:

  • explorer.exe
  • svchost.exe
  • msedge.exe
  • runtimebroker.exe
  • dllhost.exe

Techniques observed:

  • CreateRemoteProcess
  • WriteProcessMemory
  • QueueUserAPC
  • Indirect syscalls (to evade EDR hooks)

Stage 4 – Persistence Mechanisms

Registry Run Keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinHost
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBrokerSvc
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHostSvc

Scheduled Tasks

Task names observed:

WindowsHostService
RuntimeBrokerServiceUpdate
EdgeRuntimeTask
MicrosoftHostUpdate
SystemBrokerMonitor

Often hidden and triggered at logon.

WMI Event Subscription

Permanent WMI events created for stealth re-execution.

Command & Control (C2) Behavior

Communication details:

  • HTTPS over TCP 443
  • Beacon interval: 60–90 seconds
  • Small encrypted POST requests (1–5 KB)
  • JSON-like encrypted structure
  • Self-signed TLS certificates
  • Frequently rotating domains

Domain naming patterns:

ms-update-service[.]com
secure-runtime-host[.]net
cloud-verification-check[.]org
edge-security-update[.]com
windows-broker-service[.]net
msauth-runtime[.]org

IP infrastructure frequently rotated across VPS providers.

Observed IP ranges during campaign:

45.142.212.xxx
91.215.85.xxx
185.172.128.xxx
103.153.79.xxx

Second-Stage Payloads Observed

After loader execution, victims saw:

  • Modified AsyncRAT variants
  • Quasar-based implants
  • Custom Cobalt Strike Beacon builds
  • Credential harvesting modules
  • SOCKS proxy modules

Post-Compromise Activity

Confirmed behaviors across environments:

  • LSASS memory dumping
  • Browser credential theft
  • Session token harvesting
  • SMB lateral movement
  • WMI-based execution
  • Admin share access (C$)
  • Data exfiltration via encrypted HTTPS

Some financial organizations reported:

  • Unauthorized wire attempts
  • Compromised email accounts
  • Internal privilege escalation

No widespread ransomware deployment yet, but infrastructure overlaps with access brokers.

Anti-Analysis & Evasion

GhostRAT Loader uses:

  • API unhooking
  • Sleep obfuscation (delayed execution 5–10 minutes)
  • VM detection (checks RAM <4GB)
  • Sandbox evasion
  • String encryption
  • Indirect syscalls
  • Living-off-the-land binaries (LOLBins)

Antivirus detection was low during initial stage.

Detection typically occurred only after:

  • Credential dumping
  • Lateral movement
  • Suspicious beaconing

Indicators of Compromise (IOCs)

File Paths

%AppData%\Local\Temp\~ghost.tmp
%ProgramData%\WinHost\hostsvc.dat
%ProgramData%\RuntimeBroker\brokerhost.bin
%AppData%\Roaming\Microsoft\WinHost\svchost.dat
%LocalAppData%\Microsoft\CLR\clrhost.dat

Suspicious Filenames

winhost.exe
runtimeupdate.exe
svchost32.exe
hostsvc.exe
updatebroker.exe
msedgeupdate.exe

PowerShell Execution Patterns

powershell.exe -w hidden -nop -enc
powershell.exe -ExecutionPolicy Bypass -NoProfile -EncodedCommand
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication
mshta.exe http://

SHA256 Hashes (Loader Variants)

9f3d3a7c3cdd5f1a4fbc6a0c42d71e31d8f4f0e84d75d2c7b9c3e5f2a2e1b742
b7c28d4a9e8a6d51f2c3a7b8d9e4c5f0e3a2b1c4d5e6f7a8b9c0d1e2f3a4b5c
c41e2d7f8b9a5c6d3e1f2a7b4c8d9e6f1a2b3c4d5e7f8a9b0c1d2e3f4a5b6c7

(Hashes rotate frequently.)

Detection & Threat Hunting Guidance

Hunt 1 – Encoded PowerShell

Search for:

  • Event ID 4688
  • Command line containing:
    • -enc
    • -nop
    • ExecutionPolicy Bypass

Hunt 2 – Explorer Network Beacon

Flag when:

  • explorer.exe initiates HTTPS connections
  • No corresponding browser activity

Hunt 3 – Registry Persistence

Monitor:

  • Event ID 4657
  • New entries in:
    CurrentVersion\Run

Hunt 4 – LSASS Access

Detect processes requesting:

  • PROCESS_VM_READ
  • PROCESS_QUERY_INFORMATION

Target: lsass.exe

Hunt 5 – Suspicious Scheduled Tasks

Alert on:

  • Hidden scheduled tasks
  • Task names mimicking Windows services
  • Tasks running PowerShell or rundll32

Sample Sigma Rule – Encoded PowerShell

title: GhostRAT Loader Suspicious PowerShell Execution
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - '-nop'
  condition: selection
level: high

YARA Rule (Loader Detection)

rule GhostRAT_Loader_Generic
{
    meta:
        description = "Detects GhostRAT Loader patterns"
    strings:
        $s1 = "WinHostService"
        $s2 = "RuntimeBrokerService"
        $s3 = { 41 45 53 32 35 36 }
    condition:
        2 of ($s*)
}

Prevention Recommendations

  • Enforce MFA on RDP and VPN
  • Disable public RDP exposure
  • Enable PowerShell Script Block Logging
  • Monitor LSASS access
  • Block newly registered domains
  • Enable EDR memory scanning
  • Audit scheduled tasks regularly
  • Disable Office macros from internet-sourced files

Severity Assessment

Threat Level: High

Reason:

  • Stealth loader
  • Credential harvesting capability
  • Lateral movement potential
  • Access broker indicators
  • Possible ransomware staging

Final Assessment

GhostRAT Loader is not destructive by design. It is strategic.

It quietly establishes access, steals credentials, and maintains persistence while blending into normal Windows behavior. The danger is not immediate encryption or visible disruption — it is long-term unauthorized control.

Organizations detecting even partial IOCs should assume credential compromise and initiate full incident response procedures, including:

  • Memory analysis
  • Enterprise-wide credential resets
  • Domain controller review
  • Lateral movement investigation
  • MFA enforcement validation

This campaign highlights a recurring lesson: most serious breaches begin quietly.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.