# PLAYFULGHOST backdoor: A new cyber threat with multiple risks

## Introduction

Recently, there have been reports about attackers using popular VPN applications as a backdoor to spread malware, one of which is PLAYFULGHOST. PLAYFULGHOST is a new malware family with capabilities including keylogging, taking screenshots, recording audio, accessing remote shells, and transferring and executing files.

## Method of Spread

Google researchers analyzed a new malware family called **PLAYFULGHOST**, which supports many features including keylogging, taking screenshots, recording audio, remote shell access, and file transfer/execution.

The PLAYFULGHOST backdoor shares many functions with **Gh0st RAT**, whose source code was made public in 2008. However, the backdoor differs in its encryption method. According to a report by the Mandiant Defense Team from Google, this backdoor spreads through:

* Phishing emails with subjects like "code of conduct" to trick users into downloading the malware.
    
* Bundling malicious code with popular software like LetsVPN and distributing them through SEO poisoning (a method where attackers manipulate search engines, leading users to malicious or fake websites).
    

## Method of Attack

In the case of phishing, the attack chain starts by tricking users into opening a suspicious RAR file disguised as an image file with a .jpg extension. When users open and execute the compressed file, it drops a Windows executable used to download and execute the PLAYFULGHOST payload from a remote server.

In the case of SEO poisoning, victims are tricked into downloading a fake software installer, like LetsVPN, which allows downloading components of the backdoor from a remote server.

![image.png](https://www.googlecloudcommunity.com/gc/image/serverpage/image-id/134020iFE48BFBA6B2FFD75/image-size/large?v=v2&px=999 align="center")

![Phần mềm giả mạo bộ cài đặt LetsVPN](https://securityaffairs.com/wp-content/uploads/2025/01/image-7.png align="left")

PLAYFULGHOST uses DLL search order hijacking and side-loading techniques to execute a malicious DLL. Researchers at Mandiant discovered a complex case where a Windows shortcut was renamed "curl.exe" to load the malware.

According to a public report by Google: “Mandiant observed a second, more sophisticated execution scenario which begins with a Windows LNK file named “**QQLaunch.lnk”.** This LNK file combines a text file named “**h”** which contains the characters “MZ” and a second file “**t”** which contains the rest of PE payload to construct a new malicious DLL named “**libcurl.dll”**. Then, the LNK file launches “**QQLaunch.exe”**, a legitimate binary from Tencent QQ, which launches another legitimate binary “**TIM.exe”** which is a renamed version of the program **CURL**. **TIM.exe** then loads a malicious launcher DLL “**libcurl.dll”** which will decrypt and load the **PLAYFULGHOST** payload from an encrypted file named “**Debug.log”*.***“

![PLAYFULGHOST Malware: A Sophisticated Gh0st RAT Variant with Advanced ...](https://cdn-0.securityonline.info/wp-content/uploads/2024/12/QQL.png align="center")

Mandiant researchers have tracked malware families and tools related to **PLAYFULGHOST**, with the following information:

| Malware / Utility | Description | Use case |
| --- | --- | --- |
| **BOOSTWAVE** | **BOOSTWAVE** is a shellcode that acts as in-memory dropper for an appended Portable Executable (PE) payload. | On one occasion, Mandiant observed a **PLAYFULGHOST** payload being embedded within **BOOSTWAVE.** |
| **TERMINATOR** | **TERMINATOR** is an open-source tool written in C++ that reproduces Spyboy technique to terminate all EDR/XDR/AVs processes by abusing the **zam64.sys** driver. | Mandiant observed the utility being deployed under the name **1.sys** along with the download of **PLAYFULGHOST** components. |
| **QAssist.sys** | **QAssist.sys** is a rootkit embedded within **PLAYFULGHOST** capable of hiding registry, files, and processes specified by the threat actor. | While not observed being used, Mandiant assesses that the rootkit is intended to hide malicious activities on the system. |
| **CHROMEUSERINFO.dll** | **CHROMEUSERINFO.dll** is a DLL used by **PLAYFULGHOST** to retrieve Google Chrome user data including stored login credentials. | Mandiant observed an archive file containing **CHROMEUSERINFO.dll** along with other **PLAYFULGHOST** components. |

**PLAYFULGHOST** also has the ability to install Mimikatz, an open-source program used to extract passwords from computers. Additionally, it hides and maintains persistence through methods like registry keys, scheduled tasks, startup folders, and Windows services.

This backdoor can download additional payloads, block input like keyboard and mouse, delete event logs, clear the clipboard, erase browser data, and remove profiles for applications like Skype, Telegram, QQ...

Researchers at Google provide rules using Google Operations to detect **PLAYFULGHOST** activities.

## Recommendation

To prevent the spread of malware in general, and specifically for PLAYFULGHOST, **FPT Threat Intelligence** recommends the following:

* Do not open or follow instructions in emails from unknown senders or phishing emails.
    
* Do not download software from unknown sources, cracked software, or from untrustworthy websites.
    
* Increase user awareness, promote information security, and conduct phishing drills.
    

## Reference

1. [PLAYFULGHOST supports multiple information stealing features](https://securityaffairs.com/172707/malware/playfulghost-backdoor-capabilities.html)
    
2. [PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps](https://thehackernews.com/2025/01/playfulghost-delivered-via-phishing-and.html#:~:text=Cybersecurity%20researchers%20have%20flagged%20a%20new%20malware%20called,capture%2C%20audio%20capture%2C%20remote%20shell%2C%20and%20file%20transfer%2Fexecution.)
    
3. [Finding Malware: Unveiling PLAYFULGHOST with Googl... - Google Cloud Community](https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-PLAYFULGHOST-with-Google-Security/ba-p/850676)
