The Gh0st Family

Introduction

This page is part of my series: Inside Different Generations of RATs, and serves as a reference hub for navigating Gh0st-related analysis articles.

It provides an overview of the Gh0st family, including its major versions and known variants.

If you are interested in the full series, please refer to the linked page above.

This page will be continuously updated as new research is added.

Gh0st

The Ghost (Gh0st) malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s. It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet.

Gh0st is an open-source application. There are enormous verious can be found on the internet (more than 30 verios, not including those with different names), which are released by different developers.

It is important to note that there is no official naming convention for Gh0st variants. Many versions were released by anonymous developers in underground communities, which can make identification confusing when analyzing samples.

One of the most well-known branches of the Gh0st family is DHL, which stands for Dà Huī Láng — the transliteration of “大灰狼” in Chinese. Both Gh0st and DHL were widely circulated during that period, and many people are often confused about the relationship between them. In short, DHL is a branch of Gh0st. In face, DHL frequently contain keywords such as GHOST and Gh0st

Another well-known variant is Gh0stCringe, which is a more modern implementation reportedly used by several APT groups.

Overall, the original Gh0st project serves as the foundation for many later variants.

The Gh0st Family

graph TD Gh0st("Gh0st") gh0st_betav2_5("Ghost RAT Beta 2.5") gh0st_betav2_8("Ghost RAT Beta 2.8") gh0st_betav3_5("Gh0st RAT Beta 3.5") gh0st_betav3_6("Gh0st RAT Beta 3.6") gh0st_alpha1_0("Gh0st RAT 1.0 Alpha") gh0st_2011("Gh0st 2011") gh0st_2012("Gh0st 2012") gh0st_2013("Gh0st 2013") Gh0st --> gh0st_betav2_5 gh0st_betav2_5 --> gh0st_betav2_8 gh0st_betav2_8 --> gh0st_betav3_5 gh0st_betav3_5 --> gh0st_betav3_6 gh0st_betav3_6 --> gh0st_alpha1_0 gh0st_alpha1_0 --> gh0st_2011 gh0st_2011 --> gh0st_2012 gh0st_2012 --> gh0st_2013 click gh0st_betav2_5 "https://iss4cf0ng.github.io/2026/03/15/2026-3-15-Gh0st/" "Ghost RAT Beta 2.5" click gh0st_betav2_8 "https://iss4cf0ng.github.io/2026/03/15/2026-3-15-Gh0st/" "Ghost RAT Beta 2.8" click gh0st_betav3_5 "https://iss4cf0ng.github.io/2026/03/15/2026-3-15-Gh0st/" "Ghost RAT Beta 3.5" click gh0st_betav3_6 "https://iss4cf0ng.github.io/2026/03/15/2026-3-15-Gh0st/" "Ghost RAT Beta 3.6"

Note: Some RAT versions have minimal changes; therefore, certain nodes in the family tree may point to the same article. This is intentional. The table below lists all analyzed RAT versions and editions, with each article corresponding to a distinct version to maintain clarity and avoid overlap.

RAT Version Article
Gh0st RAT Beta 2.5-3.6 Analyzing Gh0st RAT Beta 2.5-3.6

Future articles may cover additional branches such as DHL and Gh0stCringe. These variants may be linked to multiple nodes in the family tree depending on their lineage.

THANKS FOR READING