The Reveal Platform
Intel Name: Digital doppelgangers: anatomy of evolving impersonation campaigns distributing gh0st rat
Date of Scan: November 17, 2025
Impact: High
Summary: We uncovered two linked 2025 malware campaigns that used large-scale brand impersonation to deliver Gh0st RAT variants to Chinese-speaking users. Across these operations, attackers evolved from simple droppers to multi-stage chains abusing legitimate signed software to evade defenses. Our report outlines the structure of both campaigns and reveals new insights into the adversary’s tactics. The first campaign (Feb–Mar 2025), “Campaign Trio,” impersonated three brands across 2,000+ domains. The second, “Campaign Chorus,” began in May 2025 and expanded impersonation to more than 40 applications. The spoofed software included enterprise tools, secure messengers, gaming platforms, and popular AI applications. Overall, Chorus significantly broadened the scope and sophistication established during Trio.
