Chinese Hackers Target Windows Systems in Campaign to Deploy Ghost RAT and PhantomNet Malware

Zscaler ThreatLabz, in collaboration with TibCERT, uncovered two tightly coordinated cyberattack campaigns, Operation GhostChat and Operation PhantomPrayers, targeting Tibetan organizations and individuals.

Leveraging increased online activity and cultural significance surrounding the Dalai Lama’s 90th birthday, both campaigns utilized highly technical, multi-stage malware delivery chains to infiltrate Windows systems and deploy the notorious Ghost RAT and PhantomNet backdoors.

Analysis by ThreatLabz links these operations with high confidence to Chinese state-sponsored APT groups, underlining the ongoing risks faced by the Tibetan community from China-nexus cyber espionage.

Multi-Stage Malware Delivery

In Operation GhostChat, attackers compromised a legitimate Tibetan community website, altering a link which originally encouraged users to send birthday greetings to the Dalai Lama.

Instead, visitors were quietly redirected to a fraudulent domain, thedalailama90.niccenter[.]net, closely mimicking the real site to maintain the illusion of legitimacy.

Here, victims were enticed to download an “encrypted chat application” under the guise of secure Tibetan communication.

The payload a ZIP archive branded as Element, the open-source messaging client contained hijacked components.

Specifically, it exploited DLL sideloading vulnerabilities by embedding a malicious ffmpeg.dll that would be loaded by the legitimate Element.exe.

This DLL acted as a shellcode loader, employing advanced evasion techniques such as mapping a fresh copy of ntdll.dll to bypass user-mode security hooks and leveraging low-level APIs (Nt* and Rtl* functions) overlooked by many endpoint detection solutions.

The infection proceeded in three stages. First, the malicious DLL established persistence via registry keys and injected shellcode into the ImagingDevices.exe process using memory section techniques.

Next, it loaded a second-stage shellcode, heavily obfuscated and reflectively loaded into memory.

The final stage deployed a customized Ghost RAT variant configured for command-and-control (C2) communications via a custom, RC4-like-encrypted protocol to IP 104.234.15[.]90:19999.

The malware’s capabilities included process, registry, file, system, clipboard, screen, audio, and webcam data collection.

According to the Report, Operation Phantom Prayers followed a parallel approach but instead lured users with a fabricated “special prayer check-in” application tied to the Dalai Lama’s birthday.

Delivered from hhthedalailama90.niccenter[.]net, the application masqueraded as a legitimate PyQT5-based tool, even displaying a convincing map of fabricated user check-ins.

As with GhostChat, DLL sideloading was abused this time with a signed VLC.exe and a malicious libvlc.dll to execute shellcode from an encrypted .tmp file, staged in %appdata%\Birthday.

This chain culminated in the deployment of PhantomNet (SManager), a modular backdoor used by China-nexus TA428, featuring AES-secured C2 channels and the ability to receive further plugin DLLs for extended surveillance and system control.

Advanced Evasion and Attribution

Both campaigns demonstrate advanced evasion strategies, including code injection using rarely monitored Windows APIs, reflective and compressed payload loading, and persistent mechanisms via registry or startup folders.

Technical indicators of compromise (IOCs) strongly overlap with those reported in previous Chinese cyber espionage campaigns, affirming the attribution.

The malicious infrastructure extensively relied on .niccenter[.]net subdomains and a tight cluster of C2 and payload hosting IPs.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates