Dual-Payload Malware Explained: Gh0st RAT + CloverPlus Adware (How to Detect It)

Understanding Dual-Payload Malware Campaign

In April 2026, the Splunk Threat Research Team and other independent researchers analyzed a malware campaign that uses one hidden Windows loader to deliver both Gh0st RAT and CloverPlus adware.

The adware helps attackers make money quickly, while Gh0st RAT gives them continuous remote access to infected systems. This dual-payload method makes the attack more effective by combining immediate monetization with long-term compromise.

Windows organizations are especially at risk because the malware uses stealthy execution techniques and legitimate system tools to avoid detection.

What Do Gh0st RAT, Adware Loader, and Dual Payload Mean?

Gh0st RAT: A remote access trojan (RAT) that allows attackers to secretly control an infected computer, steal data, monitor activity, capture keystrokes, and run commands remotely.

Adware Loader: A malware program that installs or delivers adware onto a device, often leading to unwanted ads, browser changes, redirects, or user tracking.

Dual Payload: A malware delivery method where one loader drops two separate malicious payloads at the same time typically one for monetization, such as adware, and another for deeper compromise, such as a RAT.

What Is Happening in This Malware Attack?

How Do Attackers Gain Initial Access?

1. Initial infection occurs via malicious downloads or phishing based delivery mechanisms.
2. Users unknowingly execute a heavily obfuscated Windows loader.

How Are the Payloads Delivered and Executed?

1. The loader checks whether it is running from the %TEMP% directory.
2. If not, it copies itself to %TEMP% to bypass path based detections.
3. Two encrypted payloads are stored within the loader’s RSRC section.

What Does CloverPlus Adware Do?

• Deployed first to immediately monetize the infection.
• Modifies browser settings and injects advertisements.
• Associated with the executable wiseman.exe.

What Does Gh0st RAT Do After Infection?

• A malicious DLL is decrypted and written to a randomized folder under C:\.
• Executed using rundll32.exe (living off the land binary).
• Establish persistence via registry modifications or service creation.
• Connects command and control (C2) infrastructure using covert techniques.

How Does This Malware Avoid Detection?

• Uses ping based sleep delays to evade sandbox analysis.
• Deletes artifacts to reduce forensic footprint.
• Leverages dead drop resolvers hosted on legitimate web content.
• Manipulates access tokens using SeDebugPrivilege.

Which MITRE ATTACK Techniques Are Linked to This Threat?

1. T1059 – Command and Scripting Interpreter
2. T1105 – Ingress Tool Transfer
3. T1134 – Access Token Manipulation
4. 001 – Registry Run Keys / Startup Folder
5. 003 – Windows Service Creation
6. 001 – Keylogging
7. 004 – Application Layer Protocol: DNS
8. 001 – Dead Drop Resolver
9. 004 – Indicator Removal on Host (File Deletion)

Who Is Most Affected by This Malware Attack?

• SOC and Threat Intelligence teams
• Endpoint and IT administrators
• CISOs and security leaders
• Organizations with Windows desktop environments
• Industries with limited endpoint hardening or legacy systems.

Why Is This Dual-Payload Malware Attack Dangerous?

• Full System Compromise: Gh0st RAT provides attackers with full remote control over infected hosts.
• Credential Theft: Keylogging and credential harvesting enable lateral movement and privilege escalation.
• Persistent Backdoor Access: Long-term access increases the risk of future ransomware or data theft.
• Weakened Defenses: DNS manipulation and blocking security domains reduce visibility and protection.
• Business Disruption: Adware causes browser hijacking and user productivity loss while masking deeper threats.

How Can Security Teams Respond to This Threat?

Immediate

1. Block execution of DLLs from user writable and temporary directories.
2. Monitor and alert on rundll32.exe executing DLLs from non standard paths.
3. Isolate affected endpoints and initiate full forensic investigations.

Short Term

1. Deploy EDR/XDR detections for:
   • Access token manipulation
   • Registry based persistence
   • Ping based execution delays
2. Review and reset credentials for affected users.
3. Audit DNS configurations and hosts files for unauthorized changes.

Also consider validating your environment with a Microsoft 365 Security Review to identify configuration gaps early.

Mid / Long Term

1. Strengthen endpoint hardening and application control policies.
2. Expand behavioral based detection for LOLBin abuse.
3. Conduct user phishing awareness training focused on malicious downloads
4. Implement continuous threat hunting for dual payload malware behaviors.

Align your controls with Microsoft 365 security best practices.

Evaluate your posture with a Microsoft Zero Trust Assessment

What Indicators of Compromise Should Teams Watch For?

Which File and Process Indicators Suggest Infection?

• Execution of rundll32.exe loading DLLs from non‑standard or user‑writable paths
• Presence of suspicious DLL files in randomized folders under C:\
• Detection of wiseman.exe linked to CloverPlus adware installation

Which Behavioral Indicators Suggest Malicious Activity?

• DLL execution originating from %TEMP% directory
• Registry modifications related to:
  • Run / RunOnce keys
  • Unauthorized service creation
• Use of ping.exe with extended delay parameters (sandbox evasion)
• Access token manipulation using elevated privileges

How Can ProArch Help Defend Against Threats Like This?

Threats like this require stronger monitoring, faster response, and continuous visibility. ProArch supports organizations through: