A recent variant of Gh0st RAT malware, likely orchestrated by a Chinese threat actor, is targeting artificial intelligence experts in the US through a highly selective campaign that uses AI-themed phishing lures to distribute the SugarGh0st remote access trojan (RAT) to a specific list of less than 10 individuals. Proofpoint researchers identified the threat actor as 'UNK_SweetSpecter' and believe their objective is to obtain non-public information about generative artificial intelligence. The campaign is reminiscent of a cyberespionage effort from a Chinese threat actor last year, with SugarGh0st found to possess advanced reconnaissance capabilities
The malware can identify specific registry keys, exfiltrate data, move laterally within the network, load and execute malicious code, and enable full remote control of infected machines. The objective of this campaign appears to be harvesting generative AI secrets, possibly in response to US efforts to restrict Chinese access to AI technologies. The infection chain involves sending AI-themed emails with zip archives to targets, ultimately leading to the deployment of SugarGh0st on victims' systems and communication with a C2 server controlled by the attacker. https://www.proofpoint.com/us/newsroom/news/us-ai-experts-targeted-sugargh0st-rat-campaign