The Gh0st Family

Introduction

This page is part of my series: Inside Different Generations of RATs, and serves as a reference hub for navigating Gh0st-related analysis articles.

It provides an overview of the Gh0st family, including its major versions and known variants.

If you are interested in the full series, please refer to the linked page above.

This page will be continuously updated as new research is added.

Gh0st

The Ghost (Gh0st) malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s. It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet.

Gh0st is an open-source application. There are enormous verious can be found on the internet (more than 30 verios, not including those with different names), which are released by different developers.

It is important to note that there is no official naming convention for Gh0st variants. Many versions were released by anonymous developers in underground communities, which can make identification confusing when analyzing samples.

One of the most well-known branches of the Gh0st family is DHL, which stands for Dà Huī Láng — the transliteration of “大灰狼” in Chinese. Both Gh0st and DHL were widely circulated during that period, and many people are often confused about the relationship between them. In short, DHL is a branch of Gh0st. In face, DHL frequently contain keywords such as GHOST and Gh0st

Another well-known variant is Gh0stCringe, which is a more modern implementation reportedly used by several APT groups.

Overall, the original Gh0st project serves as the foundation for many later variants.

The Gh0st Family

timeline title Gh0st RAT Version History 2008 : Beta 2.1 (Feb 9) : Beta 2.5 (Feb 26) : Beta 2.6 (March 20) : Beta 2.7 (March 24) : Beta 2.71 (March 26) : Beta 2.8 (April 16) : Beta 3.0 (May 10) : Beta 3.5 (May 17) : Beta 3.6 (May 22), open-source : Gh0st 1.0 Alpha (December) 2011 : Gh0st 2011 (May) 2012 : Gh0st 3.75 (May) : Gh0st 2012 (October) 2013 : Gh0st 2013 (December)

The timeline was inferred from a combination of compiler timestamps, online analysis reports, log artifacts, and the “About” panels of the controller applications. While no official release dates exist, this multi-source approach allows for a coherent chronological mapping of Gh0st variants.

graph TD Gh0st("The Gh0st Family") gh0st_betav2_5("Gh0st RAT Beta 2.5") gh0st_betav2_8("Gh0st RAT Beta 2.8") gh0st_betav3_5("Gh0st RAT Beta 3.5") gh0st_betav3_6("Gh0st RAT Beta 3.6") gh0st_1_0_alpha("Gh0st RAT 1.0 Alpha") gh0st_2011("Gh0st 2011") gh0st_2012("Gh0st 2012") gh0st_2013("Gh0st 2013") Gh0st --> gh0st_betav2_5 gh0st_betav2_5 --> gh0st_betav2_8 gh0st_betav2_8 --> gh0st_betav3_5 gh0st_betav3_5 --> gh0st_betav3_6 gh0st_betav3_6 --> gh0st_1_0_alpha gh0st_1_0_alpha --> gh0st_2011 gh0st_2011 --> gh0st_2012 gh0st_2012 --> gh0st_2013 click gh0st_betav2_5 "/2026/03/15/2026-3-15-Gh0st/" "Gh0st RAT Beta 2.5" click gh0st_betav2_8 "/2026/03/15/2026-3-15-Gh0st/" "Gh0st RAT Beta 2.8" click gh0st_betav3_5 "/2026/03/15/2026-3-15-Gh0st/" "Gh0st RAT Beta 3.5" click gh0st_betav3_6 "/2026/03/15/2026-3-15-Gh0st/" "Gh0st RAT Beta 3.6" click gh0st_1_0_alpha "/2026/03/20/2026-3-20-Gh0st/" "Gh0st RAT 1.0 Alpha"

Note: Some RAT versions have minimal changes; therefore, certain nodes in the family tree may point to the same article. This is intentional. The table below lists all analyzed RAT versions and editions, with each article corresponding to a distinct version to maintain clarity and avoid overlap.

RAT Version Article
Gh0st RAT Beta 2.5-3.6 Analyzing Gh0st RAT Beta 2.5-3.6
Gh0st RAT 1.0 Alpha Analyzing Gh0st RAT 1.0 Alpha

Future articles may cover additional branches such as DHL and Gh0stCringe. These variants may be linked to multiple nodes in the family tree depending on their lineage.

THANKS FOR READING