Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

Date: 11/17/2025

Severity: High

Summary

We uncovered two linked 2025 malware campaigns that used large-scale brand impersonation to deliver Gh0st RAT variants to Chinese-speaking users. Across these operations, attackers evolved from simple droppers to multi-stage chains abusing legitimate signed software to evade defenses. Our report outlines the structure of both campaigns and reveals new insights into the adversary’s tactics. The first campaign (Feb–Mar 2025), “Campaign Trio,” impersonated three brands across 2,000+ domains. The second, “Campaign Chorus,” began in May 2025 and expanded impersonation to more than 40 applications. The spoofed software included enterprise tools, secure messengers, gaming platforms, and popular AI applications. Overall, Chorus significantly broadened the scope and sophistication established during Trio.

Indicators of Compromise (IOC) List

Domains\URLs :

xiazailianjieoss.com

fs-im-kefu.7moor-fs1.com

xiaobaituziha.com

deep-seek.rest

i4toolsearch.vip

youdaohhzi.top

xiazaizhadia9.cyou

xiazaizhadia8.cyou

xiazaizhadia51.cyou

xiazaizhadia50.cyou

xiazaizhadia46.cyou

xiazaizhadia44.cyou

xiazaizhadia42.cyou

xiazaizhadia41.cyou

xiazaizhadia40.cyou

xiazaizhadia39.cyou

xiazaizhadia37.cyou

xiazaizhadia36.cyou

xiazaizhadia35.cyou

xiazaizhadia34.cyou

xiazaizhadia33.cyou

xiazaizhadia30.cyou

xiazaizhadia29.cyou

xiazaizhadia27.cyou

xiazaizhadia24.cyou

xiazaizhadia22.cyou

xiazaizhadia21.cyou

xiazaizhadia20.cyou

xiazaizhadia2.cyou

xiazaizhadia19.cyou

xiazaizhadia18.cyou

xiazaizhadia16.cyou

xiazaizhadia12.cyou

xiazaizhadia10.cyou

xiazaizhadia1.cyou

guwaanzh8.cyou

guwaanzh35.cyou

guwaanzh34.cyou

guwaanzh25.cyou

guwaanzh24.cyou

guwaanzh21.cyou

guwaanzh20.cyou

guwaanzh2.cyou

ydbaoo52.cyou

i4toolscacvi.top

youdaqqaavw.top

i4toolsuuozp.top

i4toolsllsk.top

youdaovavxl.top

youdaxxddxk.top

youdaovavxk.top

ydbao11.cyou

youdaooosssj.top

qishuiyinyque-vip.top

i4toolsuuoxk.top

i4toolscacsm.top

youdaxxyzr.top

i4toolscaczu.top

youdaxxyzy.top

xiazaizhadia31.cyou

guwaanzh1.cyou

xiazaizhadia11.cyou

anydesk-www.cyou

i4.llllxiazai-web.vip

yqmqhjgn.com

djbzdhygj.com

xiaofeige.icu

1235saddfs.icu

IP Address :

156.251.25.112

156.251.25.43

154.82.84.227

103.181.134.138

95.173.197.195

Hash :

c37d0c9c9da830e6173b71a3bcc5203fbb66241ccd7d704b3a1d809cadd551b2

495ea08268fd9cf52643a986b7b035415660eb411d8484e2c3b54e2c4e466a58

7267a303abb5fcae2e6f5c3ecf3b50d204f760dabdfc5600bd248fcfad3fc133

299e6791e4eb85617c4fab7f27ac53fb70cd038671f011007831b558c318b369

1395627eca4ca8229c3e7da0a48a36d130ce6b016bb6da750b3d992888b20ab8

2232612b09b636698afcdb995b822adf21c34fb8979dd63f8d01f0d038acb454

18a21dbc327484b8accbd4a6d7b18608390a69033647099f807fdbfdcfff7e6d

dbe70991750c6dd665b281c27f7be40afea8b5718b097e43cd041d698706ade4

e8c058acfa2518ddc7828304cf314b6dd49717e9a291ca32ba185c44937c422b

491872a50b8db56d6a5ef1ccabe8702fb7763da4fd3b474d20ae0c98969acfe5

bc6fb2eab9ed8d9eb405f6186d08e85be8b1308d207970cc41cf90477aa79064

bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e

1c3f2530b2764754045039066d2c277dff4efabd4f15f2944e30b10e82f443c0

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1:	domainname like "xiazaizhadia42.cyou" or url like "xiazaizhadia42.cyou" or siteurl like "xiazaizhadia42.cyou" or domainname like "youdaxxyzr.top" or url like "youdaxxyzr.top" or siteurl like "youdaxxyzr.top" or domainname like "xiazailianjieoss.com" or url like "xiazailianjieoss.com" or siteurl like "xiazailianjieoss.com" or domainname like "guwaanzh35.cyou" or url like "guwaanzh35.cyou" or siteurl like "guwaanzh35.cyou" or domainname like "qishuiyinyque-vip.top" or url like "qishuiyinyque-vip.top" or siteurl like "qishuiyinyque-vip.top" or domainname like "xiazaizhadia35.cyou" or url like "xiazaizhadia35.cyou" or siteurl like "xiazaizhadia35.cyou" or domainname like "i4toolsllsk.top" or url like "i4toolsllsk.top" or siteurl like "i4toolsllsk.top" or domainname like "i4toolsuuozp.top" or url like "i4toolsuuozp.top" or siteurl like "i4toolsuuozp.top" or domainname like "yqmqhjgn.com" or url like "yqmqhjgn.com" or siteurl like "yqmqhjgn.com" or domainname like "xiazaizhadia44.cyou" or url like "xiazaizhadia44.cyou" or siteurl like "xiazaizhadia44.cyou" or domainname like "djbzdhygj.com" or url like "djbzdhygj.com" or siteurl like "djbzdhygj.com" or domainname like "xiazaizhadia9.cyou" or url like "xiazaizhadia9.cyou" or siteurl like "xiazaizhadia9.cyou" or domainname like "xiaobaituziha.com" or url like "xiaobaituziha.com" or siteurl like "xiaobaituziha.com" or domainname like "anydesk-www.cyou" or url like "anydesk-www.cyou" or siteurl like "anydesk-www.cyou" or domainname like "youdaooosssj.top" or url like "youdaooosssj.top" or siteurl like "youdaooosssj.top" or domainname like "xiazaizhadia51.cyou" or url like "xiazaizhadia51.cyou" or siteurl like "xiazaizhadia51.cyou" or domainname like "i4toolsuuoxk.top" or url like "i4toolsuuoxk.top" or siteurl like "i4toolsuuoxk.top" or domainname like "xiazaizhadia29.cyou" or url like "xiazaizhadia29.cyou" or siteurl like "xiazaizhadia29.cyou" or domainname like "guwaanzh34.cyou" or url like "guwaanzh34.cyou" or siteurl like "guwaanzh34.cyou" or domainname like "youdaohhzi.top" or url like "youdaohhzi.top" or siteurl like "youdaohhzi.top" or domainname like "xiazaizhadia19.cyou" or url like "xiazaizhadia19.cyou" or siteurl like "xiazaizhadia19.cyou" or domainname like "xiazaizhadia2.cyou" or url like "xiazaizhadia2.cyou" or siteurl like "xiazaizhadia2.cyou" or domainname like "xiazaizhadia24.cyou" or url like "xiazaizhadia24.cyou" or siteurl like "xiazaizhadia24.cyou" or domainname like "guwaanzh8.cyou" or url like "guwaanzh8.cyou" or siteurl like "guwaanzh8.cyou" or domainname like "i4.llllxiazai-web.vip" or url like "i4.llllxiazai-web.vip" or siteurl like "i4.llllxiazai-web.vip" or domainname like "xiazaizhadia36.cyou" or url like "xiazaizhadia36.cyou" or siteurl like "xiazaizhadia36.cyou" or domainname like "youdaqqaavw.top" or url like "youdaqqaavw.top" or siteurl like "youdaqqaavw.top" or domainname like "xiazaizhadia40.cyou" or url like "xiazaizhadia40.cyou" or siteurl like "xiazaizhadia40.cyou" or domainname like "xiazaizhadia1.cyou" or url like "xiazaizhadia1.cyou" or siteurl like "xiazaizhadia1.cyou" or domainname like "fs-im-kefu.7moor-fs1.com" or url like "fs-im-kefu.7moor-fs1.com" or siteurl like "fs-im-kefu.7moor-fs1.com" or domainname like "xiazaizhadia16.cyou" or url like "xiazaizhadia16.cyou" or siteurl like "xiazaizhadia16.cyou" or domainname like "xiazaizhadia41.cyou" or url like "xiazaizhadia41.cyou" or siteurl like "xiazaizhadia41.cyou" or domainname like "guwaanzh2.cyou" or url like "guwaanzh2.cyou" or siteurl like "guwaanzh2.cyou" or domainname like "xiazaizhadia34.cyou" or url like "xiazaizhadia34.cyou" or siteurl like "xiazaizhadia34.cyou" or domainname like "deep-seek.rest" or url like "deep-seek.rest" or siteurl like "deep-seek.rest" or domainname like "xiazaizhadia31.cyou" or url like "xiazaizhadia31.cyou" or siteurl like "xiazaizhadia31.cyou" or domainname like "xiazaizhadia8.cyou" or url like "xiazaizhadia8.cyou" or siteurl like "xiazaizhadia8.cyou" or domainname like "xiazaizhadia22.cyou" or url like " xiazaizhadia22.cyou" or siteurl like "xiazaizhadia22.cyou" or domainname like "xiazaizhadia18.cyou" or url like "xiazaizhadia18.cyou" or siteurl like "xiazaizhadia18.cyou" or domainname like "youdaovavxl.top" or url like "youdaovavxl.top" or siteurl like "youdaovavxl.top" or domainname like "xiazaizhadia27.cyou" or url like "xiazaizhadia27.cyou" or siteurl like "xiazaizhadia27.cyou" or domainname like "guwaanzh20.cyou" or url like "guwaanzh20.cyou" or siteurl like "guwaanzh20.cyou" or domainname like "1235saddfs.icu" or url like "1235saddfs.icu" or siteurl like "1235saddfs.icu" or domainname like "i4toolscaczu.top" or url like "i4toolscaczu.top" or siteurl like "i4toolscaczu.top" or domainname like "xiazaizhadia33.cyou" or url like "xiazaizhadia33.cyou" or siteurl like "xiazaizhadia33.cyou" or domainname like "guwaanzh21.cyou" or url like "guwaanzh21.cyou" or siteurl like "guwaanzh21.cyou" or domainname like "youdaxxyzy.top" or url like "youdaxxyzy.top" or siteurl like "youdaxxyzy.top" or domainname like "guwaanzh24.cyou" or url like "guwaanzh24.cyou" or siteurl like "guwaanzh24.cyou"
Detection Query 2 :	domainname like "i4toolsearch.vip" or url like "i4toolsearch.vip" or siteurl like "i4toolsearch.vip" or domainname like "xiazaizhadia50.cyou" or url like "xiazaizhadia50.cyou" or siteurl like "xiazaizhadia50.cyou" or domainname like "xiazaizhadia46.cyou" or url like "xiazaizhadia46.cyou" or siteurl like "xiazaizhadia46.cyou" or domainname like "xiazaizhadia39.cyou" or url like "xiazaizhadia39.cyou" or siteurl like "xiazaizhadia39.cyou" or domainname like "xiazaizhadia37.cyou" or url like "xiazaizhadia37.cyou" or siteurl like "xiazaizhadia37.cyou" or domainname like "xiazaizhadia30.cyou" or url like "xiazaizhadia30.cyou" or siteurl like "xiazaizhadia30.cyou" or domainname like "xiazaizhadia21.cyou" or url like "xiazaizhadia21.cyou" or siteurl like "xiazaizhadia21.cyou" or domainname like "xiazaizhadia20.cyou" or url like "xiazaizhadia20.cyou" or siteurl like "xiazaizhadia20.cyou" or domainname like "xiazaizhadia12.cyou" or url like "xiazaizhadia12.cyou" or siteurl like "xiazaizhadia12.cyou" or domainname like "xiazaizhadia10.cyou" or url like "xiazaizhadia10.cyou" or siteurl like "xiazaizhadia10.cyou" or domainname like "guwaanzh25.cyou" or url like "guwaanzh25.cyou" or siteurl like "guwaanzh25.cyou" or domainname like "ydbaoo52.cyou" or url like "ydbaoo52.cyou" or siteurl like "ydbaoo52.cyou" or domainname like "i4toolscacvi.top" or url like "i4toolscacvi.top" or siteurl like "i4toolscacvi.top" or domainname like "youdaxxddxk.top" or url like "youdaxxddxk.top" or siteurl like "youdaxxddxk.top" or domainname like "ydbao11.cyou" or url like "ydbao11.cyou" or siteurl like "ydbao11.cyou" or domainname like "i4toolscacsm.top" or url like "i4toolscacsm.top" or siteurl like "i4toolscacsm.top" or domainname like "guwaanzh1.cyou" or url like "guwaanzh1.cyou" or siteurl like "guwaanzh1.cyou" or domainname like "xiazaizhadia11.cyou" or url like "xiazaizhadia11.cyou" or siteurl like "xiazaizhadia11.cyou" or domainname like "xiaofeige.icu" or url like "xiaofeige.icu" or siteurl like "xiaofeige.icu"
Detection Query 3 :	dstipaddress IN ("154.82.84.227","156.251.25.43","156.251.25.112","103.181.134.138","95.173.197.195") or srcipaddress IN ("154.82.84.227","156.251.25.43","156.251.25.112","103.181.134.138","95.173.197.195")
Detection Query 4 :	sha256hash IN ("2232612b09b636698afcdb995b822adf21c34fb8979dd63f8d01f0d038acb454","c37d0c9c9da830e6173b71a3bcc5203fbb66241ccd7d704b3a1d809cadd551b2","495ea08268fd9cf52643a986b7b035415660eb411d8484e2c3b54e2c4e466a58","7267a303abb5fcae2e6f5c3ecf3b50d204f760dabdfc5600bd248fcfad3fc133","299e6791e4eb85617c4fab7f27ac53fb70cd038671f011007831b558c318b369","1395627eca4ca8229c3e7da0a48a36d130ce6b016bb6da750b3d992888b20ab8","18a21dbc327484b8accbd4a6d7b18608390a69033647099f807fdbfdcfff7e6d","dbe70991750c6dd665b281c27f7be40afea8b5718b097e43cd041d698706ade4","e8c058acfa2518ddc7828304cf314b6dd49717e9a291ca32ba185c44937c422b","491872a50b8db56d6a5ef1ccabe8702fb7763da4fd3b474d20ae0c98969acfe5","bc6fb2eab9ed8d9eb405f6186d08e85be8b1308d207970cc41cf90477aa79064","bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e","1c3f2530b2764754045039066d2c277dff4efabd4f15f2944e30b10e82f443c0")

Reference:

https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/

Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments