Image: Janosch Lino via Unsplash

Spies with upgraded Gh0st RAT appear to be new operation, researchers say

A newly discovered cyber-espionage operation is targeting ministries of foreign affairs and embassies in multiple countries, according to a new report.

The threat actor, dubbed SneakyChef by researchers at cybersecurity firm Cisco Talos, is using a customized version of remote access trojan (RAT) malware known as Gh0st RAT, suggesting links to Chinese state-backed operations.

Cisco Talos is calling the malware SugarGh0st and says it is delivered through scanned documents that appear normal but are infected with the malicious code.

The company first discovered SugarGh0st in November but did not attribute it to a specific threat actor. The previous activity was mainly observed in South Korea and Uzbekistan, but in the new campaign, the attackers infected a broader range of targets, including ministries of foreign affairs and embassies in at least nine countries across Africa, the Middle East, Europe, and Asia.

The SneakyChef hackers have been active since at least August 2023, the researchers said.

Along with the government-themed decoy documents, researchers also observed the hackers using malicious application forms to register for a conference and research-paper abstracts.

Earlier in May, researchers at Proofpoint discovered that SugarGh0st was used in campaigns targeting organizations in the U.S. involved in artificial intelligence efforts, including academia, private industry, and government service.

Gh0st RAT is an infamous tool used for more than a decade by a range of advanced state-sponsored groups in attacks on diplomatic, political, economic, and military targets around the world. SugarGh0st is customized to allow hackers greater reconnaissance capabilities, including the ability to search for specific keys, file extensions and more. It also allows hackers to deliver customized commands and evade detections.

SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can also take screenshots of the victim machine’s current desktop and switch to multiple windows.

Cisco Talos attributed SneakyChef to China with medium confidence, in part due to the use of Gh0st RAT, which is popular among Chinese-speaking threat actors.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.