Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

Two interconnected malware campaigns in 2025 used large-scale brand impersonation to distribute the Gh0st remote access Trojan (RAT) to Chinese-speaking users, evolving from simple droppers to complex, multi-stage infection chains that misuse legitimate software to bypass defenses. The campaigns show a clear operational playbook with characteristics like programmatic infrastructure generation, a focus on the Chinese demographic, and a rapid, disposable infrastructure deployment strategy.