PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps

Category	Details
Threat Actors	Not explicitly named, but shares functionality with Gh0st RAT, indicating potential ties to similar threat actor groups.
Campaign Overview	New malware, PLAYFULGHOST, uses phishing emails and SEO poisoning to deliver trojanized VPN apps, primarily targeting Chinese-speaking users.
Target Regions (Or Victims)	Chinese-speaking Windows users, particularly those using VPN apps and messaging applications like QQ and Telegram.
Methodology	• Phishing emails with trojanized VPN apps. • SEO poisoning to distribute malware. • DLL search order hijacking, side-loading, and rogue shortcut files for execution.
Product Targeted	VPN apps (LetsVPN), messaging apps (QQ, Telegram), web browsers (Sogou, QQ, 360 Safety, Firefox, Google Chrome).
Malware Reference	PLAYFULGHOST, shares features with Gh0st RAT.
Tools Used	Mimikatz, rootkit, Terminator (BYOVD attack), BOOSTWAVE, DLL hijacking, custom dropper.
Vulnerabilities Exploited	DLL search order hijacking, side-loading, and Windows shortcut manipulation.
TTPs	• Phishing emails. • SEO poisoning. • DLL hijacking and side-loading. • Dropper payloads. • Persistence methods (Run registry key, scheduled tasks, etc.).
Attribution	Likely state-sponsored or organized cybercrime groups based on tools and techniques.
Recommendations	• Be cautious with downloading VPN apps and clicking email links. • Regularly update antivirus and anti-malware tools.
Source	The Hackers News

Read full article: https://thehackernews.com/2025/01/playfulghost-delivered-via-phishing-and.html

The above summary has been generated by an AI language model