A new malware has been identified by cybersecurity researchers, and it is capable of many information gathering techniques like screen capture, audio capture, remote shell (which permits the threat actor to launch further attacks), keylogging and file transfer and execution. It’s called PLAYFULGHOST and it’s known to be delivered via phishing or SEO poisoning techniques that then distribute trojanized VPN apps.
Capable of setting up persistence on the host in four different manners (run registry key, scheduled task, Windows Startup folder and Windows service), the feature set in the PLAYFULGHOST malware allows it to gather an extensive set of data. Including keystrokes and screenshots; it can also collect audio, QQ account information, installed security products, clipboard content and system metadata.
The malware is also capable of dropping more payloads, blocking mouse or keyboard input, clearing Windows event logs, wiping clipboard data, performing file operations, delete caches, deleting web browser profiles, and erasing profiles and storage for messaging apps.
Also, it can deploy Mimikatz, an open-source application that can extract passwords, a rootkit that is capable of hiding registry, files and processes specified by the threat actor and brings along with it an open-source utility called Terminator that can kill security processes using a BYOVD (Bring Your Own Vulnerable Driver) attack.
The way that PLAYFULGHOST gains access, or its initial pathway into your system, is usually a phishing email that has a lure mentioning a code of conduct violation, problem or issue; it is also known to use SEO poisoning techniques to send out a malicious version of a legitimate VPN app like LetsVPN.
One victim was tricked by opening a malicious RAR archive disguised as an image file by using a .jpg extension, which then dropped a malicious Windows executable. That in turn downloaded and executed PLAYFULGHOST from a remote server. Google’s Managed Defense team has said that the backdoor shares functionality with Gh0st RAT, which had source code publicly leaked in 2008.
The SEO poisoning attacks attempt to get victims to download malware laced with installers for LetsVPN which then drop an interim payload that will retrieve the backdoor components.
A PLAYFULGHOST infection leverages DLL search order hijacking and side loading to launch malicious DLL which is used to decrypt and load PLAYFULGHOST into memory. It’s also been observed using combined Windows shortcuts that leverage multiple files to construct rogue DLL to sideload it into a renamed version.
How to stay safe from PLAYFULGHOST
Because PLAYFULGHOST is using phishing as a technique, the best way to avoid it is to know common phishing techniques and make sure you can detect them. Only give away personal information to legitimate websites and companies. Never click on an unexpected link or attachment — if you know the sender, contact them directly to see what they sent and why before clicking through.
If you’re not expecting a code of conduct violation, don’t click on a link in an email. Contact the sender or your HR department to ask about the email first. Only download applications directly from a website you’ve gone to yourself, not from a link sent to you.
If your company contacts you about an urgent matter regarding your account, don’t click anything in an email, text or message. Instead go directly to their website in the browser’s address bar and type in their web address manually and enter in your log in details yourself. This way, you can make sure you’ve got the company name spelled correctly. (A common phishing technique is to misspell a company name with a “0” instead of an “o.”)
Maintain best practices with your online accounts: Never reuse passwords, remember you can always use a password manager to help keep your passwords secure. Use two-factor authentication when possible. Keep one of the best antivirus software programs current, updated and running on all your devices – both your PC and even your mobile device.
We have recommendations for the best Android antivirus apps if you don’t already have one installed. And for added protection make sure your antivirus program has a – real – VPN, or offers a hardened browser for an added layer of security.
More from Tom's Guide
- Hackers can steal your accounts, and all it takes is a double click – don't fall for this new form of clickjacking
- Millions of email users at risk – passwords could be exposed to hackers, experts warns
- These are the top cyber threats to watch out for in 2025
