Cybersecurity researchers have identified a new malware called PLAYFULGHOST that is capable of extensive information gathering from infected devices, including capturing screens and audio, recording keystrokes, running remote shell commands, and transferring or executing files.

PLAYFULGHOST is typically delivered through phishing schemes or SEO poisoning, in which victims are tricked into downloading malicious VPN apps disguised as legitimate software, such as LetsVPN.

The infection process commonly starts with a phishing email claiming urgent issues like a code of conduct violation, or through a suspicious RAR archive masquerading as an image file, which ultimately leads to the installation of a malicious Windows executable that then downloads the malware from a remote server.

Once on a system, PLAYFULGHOST establishes persistence via multiple methods, including manipulating the Windows registry, creating scheduled tasks, placing files in the Windows Startup folder, or installing itself as a service.

After becoming resident, it harvests various types of data including clipboard contents, audio, QQ account details, installed security products, and system metadata. It also performs destructive operations, such as clearing event logs, wiping caches, and erasing browser and messaging-app profiles.

The malware employs advanced capabilities, allowing it to block mouse or keyboard input, inject or sideload rogue DLL files into memory through search order hijacking, and leverage combined Windows shortcuts to construct and sideload a malicious DLL.

PLAYFULGHOST is known to deploy other payloads such as Mimikatz to extract passwords, rootkits to hide files and processes, and a utility called Terminator which kills security processes using vulnerable drivers.

Source: https://www.tomsguide.com/computing/malware-adware/new-malware-uses-infected-vpn-apps-to-take-over-your-device-heres-how-to-stay-safe

Commentary

PLAYFULGHOST is a sophisticated malware strain first identified in early 2025 and known for its advanced information-gathering features and remote access capabilities.

Its development echoes the history of Gh0st RAT, a remote administration tool whose leaked source code in 2008 led to the proliferation of derivative threats.

To prevent PLAYFULGHOST and other infections, organizations and users should:

• Train employees and users to recognize and avoid phishing attempts, including emails referencing urgent topics like code of conduct violations.
• Advise staff to avoid downloading software from links provided in emails or search engine results and instead navigate directly to trusted vendor sites.
• Ensure applications, especially VPNs, are obtained directly from official sources and not through bundled installers or third-party sites.
• Implement advanced email security filtering to identify and quarantine suspicious attachments, especially compressed archives disguised as images.
• Deploy endpoint protection solutions that can identify and block unauthorized DLL loading, side-loading attempts, and processes attempting persistence via registry keys, startup folders, or scheduled tasks.
• Set up monitoring for unusual shortcut (.lnk) file behaviors and renamed binary executions that could sideload malware.
• Maintain updated antivirus and anti-malware engines capable of detecting dynamic, multi-stage payloads and rootkit concealment techniques.
• Harden workstations by restricting user permissions to install or execute unsigned software and binaries from outside the organization's trusted sources.
• Keep systems patched and up to date to thwart exploits used for persistence or privilege escalation.
• Educate users about the risks of SEO poisoning and avoiding downloads from promoted results or ads in search engines.
• Adopt password managers and enforce unique, strong passwords across business and personal accounts.
• Enable multi-factor authentication company-wide to reduce risks of credential theft via malware payloads.
• Monitor log files and system changes for signs of tampering, such as cleared event logs, altered browser profiles, or deleted security processes.
• Regularly back up critical data and test restoration procedures to mitigate the impact of destructive malware actions.