PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps
Cybersecurity researchers have flagged a new malware called PLAYFULGHOST that comes with a wide range of information-gathering features like keylogging, screen capture, audio capture, remote shell, and file transfer/execution.
The backdoor, according to Google's Managed Defense team, shares functional overlaps with a known remote administration tool referred to as Gh0st RAT, which had its source code publicly leaked in 2008.
PLAYFULGHOST's initial access pathways include the use of phishing emails bearing code of conduct-related lures or search engine optimization (SEO) poisoning techniques to distribute trojanized versions of legitimate VPN apps like LetsVPN.
"In one phishing case, the infection begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a .jpg extension," the company said. "When extracted and executed by the victim, the archive drops a malicious Windows executable, which eventually downloads and executes PLAYFULGHOST from a remote server."
Attack chains employing SEO poisoning, on the other hand, seek to deceive unsuspecting users into downloading a malware-laced installer for LetsVPN, which, when launched, drops an interim payload responsible for retrieving the backdoor components.
The infection is notable for leveraging methods such as DLL search order hijacking and side-loading to launch a malicious DLL that's then used to decrypt and load PLAYFULGHOST into memory.
Mandiant said it also observed a "more sophisticated execution scenario" wherein a Windows shortcut ("QQLaunch.lnk") file, combines the contents of two other files named "h" and "t" to construct the rogue DLL and sideload it using a renamed version of "curl.exe."

PLAYFULGHOST is capable of setting up persistence on the host using four different methods: Run registry key, scheduled task, Windows Startup folder, and Windows service. It boasts an extensive set of features that allow it to gather extensive data, including keystrokes, screenshots, audio, QQ account information, installed security products, clipboard content, and system metadata.
It also comes with capabilities to drop more payloads, block mouse and keyboard input, clear Windows event logs, wipe clipboard data, perform file operations, delete caches and profiles associated with web browsers like Sogou, QQ, 360 Safety, Firefox, and Google Chrome, and erase profiles and local storage for messaging applications such as Skype, Telegram, and QQ.
Some of the other tools deployed via PLAYFULGHOST are Mimikatz and a rootkit that's capable of hiding registry, files, and processes specified by the threat actor. Also dropped along with the download of PLAYFULGHOST components is an open-source utility called Terminator that can kill security processes by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.
"On one occasion, Mandiant observed a PLAYFULGHOST payload being embedded within BOOSTWAVE," the tech giant said. "BOOSTWAVE is a shellcode that acts as in-memory dropper for an appended Portable Executable (PE) payload."
The targeting of applications like Sogou, QQ, and 360 Safety and the use of LetsVPN lures raise the possibility that these infections are targeting Chinese-speaking Windows users. In July 2024, Canadian cybersecurity vendor eSentire revealed a similar campaign that leveraged fake installers for Google Chrome to propagate Gh0st RAT using a dropper dubbed Gh0stGambit.
Bad Tenable plugin updates take down Nessus agents worldwide
U.S. Sanctions Chinese Cybersecurity Firm for State-Backed Hacking Campaigns
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
HighPII Disclosure
LowInsufficient Site Isolation Against Spectre Vulnerability
InformationalGraphQL Endpoint Supports Introspection
InformationalBase64 Disclosure in WebSocket message
MediumBypassing 403
InformationalUser Agent Fuzzer
Free online web security scanner