Skip to content

Chinese SugarGh0st RAT is targeting Uzbekistan and South Korea

  • by
  • 3 min read

A sophisticated Chinese cyber espionage campaign targeting governments in Uzbekistan and South Korea has been uncovered utilising a customised variant of the notorious Gh0st Remote Access Trojan (RAT) named Suger Gh0st.

Cybersecurity researchers from Cisco Talos identified four samples associated with the campaign. One sample targeted the Ministry of Foreign Affairs in Uzbekistan, deploying a malicious archive embedded with a Windows Shortcut LNK file.

SugarGh0st, compiled on August 23, 2023, is a fully functional backdoor capable of executing various remote control functionalities. It establishes connections with hardcoded Command and Control domains, sending heartbeat packets and collecting sensitive information from infected machines. The RAT can take screenshots, access the victim’s camera, manipulate files, and clear event logs to conceal malicious activities.

Upon execution, the LNK file dropped a decoy document named ‘Investment project details.docx’ containing content related to a presidential decree in Uzbekistan.

Additionally, the remaining three documents had content in Korean, suggesting a focus on South Korean targets. These documents, including ‘Account.pdf’, ‘MakerDAO MKR approaches highest since August.docx’, and ‘Equipment_Repair_Guide.docx’ were distributed using a malicious JavaScript file embedded in a Windows Shortcut.

Moreover, researchers also discovered command-and-control (C2) requests from South Korean IP addresses.

Infection Chain 1. | Source: Cisco Talos

Researchers identified two distinct infection chains, both utilising complex tactics to deliver the payload. The first one involves a malicious RAR file containing a Windows Shortcut file with a double extension.

The JavaScript dropper embedded in the LNK file decrypts and executes the SugarGh0st RAT payload showcasing the actor’s proficiency in evading detection.

Infection Chain 2. | Source: Cisco Talos

The second infection chain uses the DyamicWraperX loader to inject and run the shellcode, ultimately delivering the SugarGh0st payload. This demonstrates the threat actor’s adaptability in employing diverse methods for targeted attacks.

The artefacts found in the decoy files indicated the actors’ potential Chinese origin, displaying names in simplified Chinese characters. Furthermore, using the SugarGh0st variant, a known tool in the Chinese threat actor toolkit, added weight to this assessment.

Furthermore, Chinese threat actors have been known to target Uzbekistan, aligning with the campaign’s focus on the Ministry of Foreign Affairs.

SugarGh0st, a customised and improved version of the Gh0st RAT, exhibits advanced features tailored for reconnaissance and remote administration tasks.

In August, China’s Flax Typhoon targeted organisations in Taiwan, another country that is not on friendly terms with the CCP.

In the News: Apple fixes two zero-days affecting the WebKit browser engine

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: