FluffyGh0st
FluffyGh0st is a modular, plugin-based remote access trojan and a custom variant of the publicly available Gh0st RAT. It is designed to provide attackers with remote control of compromised systems, with fuller functionality enabled through additional plugins. Reported capabilities and associated tradecraft include remote access, command execution, file and folder manipulation, file upload and download, and broader data-harvesting support through its plugin architecture. It has been described as having a lighter footprint for evasive operation and as part of a shift away from fully featured Gh0st RAT variants toward more modular malware.
FluffyGh0st has been linked to China-aligned espionage activity, particularly the threat actor Unfading Sea Haze, and Sophos-tracked Crimson Palace has also been mentioned in connection with it. Bitdefender reported that Unfading Sea Haze, active since at least 2018 against primarily government and military organizations in South China Sea countries, transitioned in 2023/2024 from older tooling such as Ps2dllLoader, SilentGh0st, and TranslucentGh0st to newer modular Gh0st RAT variants including FluffyGh0st, InsidiousGh0st, and EtherealGh0st. In that broader campaign, the actor used spear-phishing with malicious ZIP/LNK archives, scheduled tasks, DLL sideloading, hidden administrator-account manipulation, ITarian RMM, and fileless MSBuild-based execution from remote SMB shares to maintain access and support espionage.
Unit 42 also observed FluffyGh0st in a 2025 cyberespionage campaign targeting a Southeast Asian government organization. In that activity, the China-linked cluster CL-STA-1049, assessed to overlap with Unfading Sea Haze, used a novel DLL loader named Hypnosis Loader delivered via DLL sideloading/proxy sideloading to install FluffyGh0st. One reported sideloading chain involved the legitimate Bitdefender executable seccenter.exe loading a malicious version.dll from C:\Program Files\Common Files\Bitdefender\SetupInformation\version.dll (SHA256: 9d7c8d3bc4ac108fb2602424a1f4918c051c2443f0526bbb2c970c8e57dbd90d), with the likely final payload bdusersy.dll assessed as plausibly FluffyGh0st. Reported command-and-control infrastructure included webmail.rpcthai[.]com. The malware was used in operations assessed to seek long-term persistent access and continuous data exfiltration from sensitive government networks.
High-confidence associations in the provided content tie FluffyGh0st to espionage-focused targeting of government and military entities in the South China Sea and Southeast Asia, especially by China-aligned clusters including Unfading Sea Haze and CL-STA-1049.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TranslucentGh0st, EtherealGh0st, and FluffyGh0st – Newest variants featuring dynamic plugin loading and lighter footprint for evasive operation.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
Attackers deployed numerous malware families, including HIUPAN, PUBLOAD, EggStremeFuel, MASOL RAT, PoshRAT, TrackBak Stealer, Hypnosis Loader, and FluffyGh0st.
FluffyGh0st, linked to China-aligned groups like Unfading Sea Haze and Sophos-tracked Crimson Palace, enables remote control and plugin-based functionality, showing advanced persistence and espionage capabilities.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesThe backdoors support commands for file and folder manipulation, command execution, file download and upload, and data harvesting
These alerts highlighted a DLL sideloading attack that used a legitimate Bitdefender executable, seccenter.exe.
Privilege Escalation
1 techniqueStealth
2 techniquesThe loader injects itself, maintains execution, decrypts, and loads the final payload
ClaimLoader then uses an XOR key to decrypt an embedded shellcode payload and executes the shellcode... After patching the DLL's host process, Hypnosis loader creates a new thread to decrypt the name of the final payload (bdusersy.dll) with an RC4 key.
Command and Control
3 techniquesVariants of PUBLOAD use either HTTP or TCP for command-and-control (C2) communications. The sample we observed is a variant that uses TCP... Masol RAT... communicates with its C2 servers over HTTP POST... This malware uses Google Remote Procedure Call (gRPC) for C2 communication.
Masol RAT and EggStreme Loader provided backdoor access... FluffyGh0st... enables remote control and plugin-based functionality
The base domain rpcthai[.]com appears to be used for the website of a legitimate Thai-based company, which implies that attackers hijacked the domain and created webmail.rpcthai[.]com to act as a C2 server.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family used in the campaign as part of persistent access and data exfiltration operations.
A remote access trojan with remote control and plugin-based functionality, used for persistent espionage operations.
RAT installed by Hypnosis Loader in CL-STA-1049 activity.
Custom Gh0st RAT variant associated with China-aligned activity. It provides remote access and extends functionality through plugins downloaded from embedded C2 servers, with configurations encrypted using RC4 and compressed with LZNT1.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.