derp.ca - we like the internet.
GhostWeaver: a PowerShell RAT with its own DNS and persistence
This is a plain-language briefing. Read the full technical analysis →
GhostWeaver is a fileless PowerShell RAT (remote access trojan) that does something most malware doesn't bother with: it adapts its installation to whichever antivirus is running on the machine. It detects Norton? One persistence method. Webroot? A different one. Four modes total, selected at install time. The persistence installer that handles all of this scores 1 out of 76 on VirusTotal.
The name fits. GhostWeaver runs entirely in memory. No executable on disk, no DLL to find. It communicates over TLS on port 25658, a non-standard port that most egress rules don't inspect. It generates its own server addresses through four separate DGA (domain generation algorithm) routines that produce new domains on daily or weekly schedules. We decoded all four, connected to both live C2 servers, and watched them push identical payloads to our client within 170 ms.
No verification, no challenge-response. Just instant deployment.
AV vendors detect GhostWeaver as Pantera. TRAC Labs (opens in new tab) named it in February 2025. Recorded Future (opens in new tab) tracks the operator as TA582 (Mandiant calls them UNC4108). They sit downstream of the SocGholish fake browser update chain, which Huntress (opens in new tab) linked to over 10,000 compromised machines in 2025. GhostWeaver itself doesn't appear on underground forums, GitHub, Telegram, or any known cracked tool repository. It's not commodity malware. If you have it on a machine, it came from this operation. We cover the full operator attribution in our research post.
Four DGA algorithms and its own DNS
The domain generation system is the most interesting piece. Four separate algorithms run at different stages of the kill chain. The early ones generate delivery domains for the initial loader. The later ones generate addresses for GhostWeaver's live C2 traffic. Each algorithm produces 15-character domains on rotating schedules. Some use just lowercase letters, others mix in numbers.
But generating domains is only half the problem. The malware also needs those domains to resolve, and corporate DNS filtering exists to stop exactly that. GhostWeaver's answer: skip it entirely. It hardcodes five public DNS resolvers (Hurricane Electric, OpenDNS, Control D, Cloudflare) and queries them directly over the network. Your internal DNS, your sinkhole, your response policy zones -- none of them ever see the request. The queries go straight out to public infrastructure.
This is a deliberate design choice. Most malware just uses whatever DNS the system is configured with, which means a well-maintained DNS filtering setup can block or at least flag the traffic. GhostWeaver treats local DNS as hostile and routes around it. Combined with the non-standard port and TLS encryption, the traffic looks like this: encrypted connection to a weird port, resolved through DNS that bypasses your filters. You can't catch that without a policy that blocks unauthorised outbound connections at the network level.
Sandbox-aware delivery
GhostWeaver doesn't get delivered to just anyone. Before the RAT arrives, a profiler called MintsLoader runs three checks on the target machine. It looks at whether it's a virtual machine, the GPU type, and the number of CPU cache levels. Each check produces a score. A real workstation with a discrete GPU scores around 7 billion. A sandbox VM scores around 160 billion -- 22 times higher.
We confirmed this works. When we submitted the delivery URLs to a sandbox, the server connected but withheld the payload. It only handed the RAT to machines that looked real. The scoring constants change with each deployment, but the algorithm stays the same, so the operator can tune it without a rebuild.
If you're a security team submitting URLs to auto-analysis hoping to get the payload, you probably won't. The system was built to identify exactly that scenario and deliver a decoy or nothing at all.
AV-aware persistence that cleans up after itself
Once GhostWeaver lands, the C2 pushes a 58K PowerShell persistence framework with 17 functions. It starts by escalating privileges through a CMSTPLUA COM object bypass (opens in new tab), swapping process metadata to pose as Windows Explorer so the COM security check passes. Then it creates a scheduled task that runs every three minutes, disguised under the name of a real PowerShell function.
The four persistence modes range from a simple plaintext file to DPAPI (Data Protection API)-encrypted payloads. The encrypted version ties to the current user's credentials and can only be decrypted on that specific machine. The AV detection logic isn't cosmetic. Different antivirus products scan and hook scheduled tasks differently, and the mode selection appears designed to dodge the specific detection patterns each product uses.
After setting up the task, the installer disables the Task Scheduler event log. Not clearing it -- turning it off. Scheduling activity from that point forward leaves no trace in standard Windows forensics. Then it kills the current GhostWeaver process and lets the scheduled task restart it within three minutes. Clean handoff, no orphaned processes.
We connected to the live C2
We decoded the domain generation algorithms and confirmed which domains were currently resolving. Then we built a Python client that speaks GhostWeaver's protocol: TLS 1.0 (deprecated since 2020), GZip-compressed JSON, 4-byte length headers on port 25658. We connected to both active C2 nodes.
Both accepted our beacon right away. Within 170 ms, each pushed the full persistence installer -- byte-identical payloads from separate servers on different hosts. The servers ran no checks. No challenge-response, no version check, no group verification. Complete the TLS handshake, send a well-formed beacon, get the payload. The operator either isn't concerned about researchers connecting or considers it a fair trade-off for uptime.
Both servers then settled into sending keepalive pings every 15 seconds. No further commands while we watched. The plugin system supports credential theft from browsers, Outlook, and crypto wallets, web injection via MITM (man-in-the-middle) proxy, and pushing the initial loader back to the victim. The loader can reinstall the RAT, and the RAT can redeploy the loader. It's a loop.
What makes GhostWeaver hard to catch
Most malware gets one or two evasion tricks right. GhostWeaver closes off detection at every layer. Fileless execution means no binary on disk for EDR to flag. Custom DNS resolution skips your internal filtering entirely. TLS on a non-standard port means the traffic is encrypted and going somewhere most egress rules don't watch. The persistence installer uses polymorphic obfuscation -- unique string encodings generated at install time -- so every copy looks different to static scanners. That's how it scores 1/76 on VirusTotal. And after setup, it turns off the Task Scheduler event log so the scheduled task leaves no forensic trail.
No single one of these is new. But stacked together, they mean a defender has to be checking disk, memory, DNS, egress policy, and event logs to catch this. Miss any one layer and the RAT sits quietly, beaconing every three minutes until someone looks in the right place.
We published seven YARA rules covering the full kill chain on GitHub (opens in new tab). For the full technical analysis, see GhostWeaver: a malware that lives up to its name.