A recent SugarGh0st RAT campaign targeted US artificial intelligence experts, possibly China-affiliated, to steal information. A variant of Gh0st RAT, the malware aims to target individuals related to leading US AI organizations, using AI-themed phishing lures. Proofpoint identified the campaign, named UNK_SweetSpecter, with less than 10 targeted individuals directly linked to a US AI organization
The campaign aims to obtain generative AI non-public information. The malware, an improved version of Gh0st RAT, was spotted by Cisco Talos in a cyberespionage campaign, first surfacing in 2008, belonging to China-threat groups. SugarGh0st has new features for reconnaissance, searching specific OBDC registry keys, loading malicious code, initiating custom commands, and exfiltration activities. The malware infection chain involves AI-themed email lures with attachments, encoded in base64, leading to deploying SugarGh0st on victim systems, allowing communication with a C2 server. This targeting of AI experts could be related to the US government's recent efforts to restrict Chinese access to generative AI technologies, suggesting that the campaign could aim at harvesting generative AI secrets via cyber theft by China-affiliated actors. ```https://www.darkreading.com/cyberattacks-data-breaches/us-ai-experts-targeted-in-sugargh0st-rat-campaign