GhostSec’s joint ransomware operation and evolution of their arsenal

Cisco Talos documents GhostSec’s expanded operations, including a Golang rework of GhostLocker (GhostLocker 2.0) that persists via the Windows Startup folder, communicates with a C2 at 94[.]103[.]91[.]246, exfiltrates targeted documents via HTTP POST, then encrypts them with a “.ghost” extension and drops a Ransomnote.html. Talos also identified web-focused tools in GhostSec’s toolkit — a Python “Deep Scan” reconnaissance suite and a WordPress-targeting XSS/admin-bypass tool called GhostPresser. #GhostLocker #GhostPresser

Keypoints

GhostSec and Stormous collaborate in double-extortion campaigns and launched a joint RaaS program (STMX_GhostLocker).
GhostLocker 2.0 is a Golang ransomware that persists via the Windows Startup folder and uses AES-256 keys (32-byte secret generation).
The ransomware contacts a C2 at 94[.]103[.]91[.]246 (endpoints: /incrementLaunch, /addInfection, /upload) to register infections and exfiltrate files via HTTP POST.
GhostLocker 2.0 exfiltrates and encrypts target document file types (.doc, .docx, .xls, .xlsx), appending the “.ghost” extension and dropping Ransomnote.html on the desktop.
The GhostLocker builder supplies affiliates with options for persistence modes, process/service termination, UAC bypass, target directories, and detection-evasion commands.
GhostSec developed web-targeting tools: a Python “Deep Scan” scanner (BeautifulSoup/BuiltWith) and “GhostPresser,” an XSS/admin-bypass script for WordPress to manipulate themes, plugins, users and settings.
Talos located GhostLocker 2.0 C2 infrastructure and published detection artifacts (Snort SIDs and ClamAV signature) and IOCs for defenders.

MITRE Techniques

[T1547.001] Boot or Logon Autostart Execution – Used for persistence by copying the ransomware to the Windows Startup folder. (‘GhostLocker 2.0 copies itself to the Windows Startup folder to establish persistence.’)
[T1071.001] Application Layer Protocol: Web Protocols – C2 communication and command exchange over HTTP with specific endpoints. (‘establishes the connection to the C2 server through the URL hxxp[://]94[.]103[.]91[.]246[/]incrementLaunch.’)
[T1041] Exfiltration Over C2 Channel – Target files are uploaded to the C2 using HTTP POST before encryption. (‘upload the target files to the C2 server through the URL “hxxp[://]94[.]103[.]91[.]246[/]upload” using HTTP post method.’)
[T1486] Data Encrypted for Impact – Files are encrypted and given a new extension to disrupt availability. (‘encrypts the targeted files and appends “.ghost” as the file extension for the encrypted files.’)
[T1190] Exploit Public-Facing Application – Cross-site scripting (XSS) against WordPress sites via GhostPresser to gain administrative actions. (‘likely leveraged their GhostPresser tool along with the cross-site scripting attack technique to compromise the websites.’)
[T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – Builder options include techniques to bypass User Account Control. (‘bypass the User Account Controls (UAC).’)
[T1562.001] Impair Defenses: Disable or Modify Tools – The ransomware attempts to stop processes, services, and scheduled tasks to evade detection. (‘attempts to terminate the defined processes or services or Windows scheduled tasks … to evade detection.’)
[T1098] Account Manipulation – GhostPresser can create new users and change settings on compromised WordPress instances. (‘Create a new user. … Change WordPress settings.’)

Indicators of Compromise

[IP address] C2 server – 94[.]103[.]91[.]246 (GhostLocker 2.0 command-and-control)
[C2 endpoints / URLs] C2 & exfiltration endpoints – hxxp[://]94[.]103[.]91[.]246/incrementLaunch, hxxp[://]94[.]103[.]91[.]246/addInfection, hxxp[://]94[.]103[.]91[.]246/upload
[File extension / filename] Ransomware artifacts – encrypted files (*.ghost), dropped ransom note (Ransomnote.html)
[File types targeted] Exfiltration targets – .doc, .docx, .xls, .xlsx (uploaded to C2 prior to encryption)
[Detection signatures] IDS/AV signatures – Snort SIDs 62983-62989 and 300818-300820; ClamAV detection Win.Ransomware.GhostSec-10020906-0

GhostLocker 2.0 is a Golang-based ransomware that establishes persistence by copying a randomly-named binary into the Windows Startup folder, then initiates HTTP-based C2 communication to the server at 94[.]103[.]91[.]246 (endpoints observed: /incrementLaunch, /addInfection, /upload). On first run it generates a 32-byte secret, creates an in-memory JSON containing the encryption ID, infection metadata (IP, date, victim ID, ransom amount, encryption status) and posts that to the C2 to register the infection. The builder allows affiliates to configure persistence mode, target directories and extensions, kill specific processes/services or scheduled tasks, run arbitrary commands for evasion, and include UAC-bypass options.

Operationally, the sample analyzed exfiltrates targeted document files (.doc, .docx, .xls, .xlsx) to the C2 via HTTP POST prior to encryption, then encrypts remaining targets—skipping system folders like C:Windows—and appends the “.ghost” extension. After encryption completes, it drops and launches an HTML ransom note (Ransomnote.html). The GhostLocker C2 panel registers deployed binaries and lets affiliates track encryption progress and gains; Talos located the active GhostLocker 2.0 C2 at the noted IP and observed AES-256 usage and removal of the earlier watchdog component used by Python versions.

For web-focused activity, GhostSec developed a Python “Deep Scan” reconnaissance toolkit (modules using BeautifulSoup and BuiltWith) to enumerate technologies, links, SSL/HSTS, sitemaps/robots, perform WHOIS, find broken links and prepare targeted CVE or file-type searches. GhostPresser is a WordPress-targeting shell script that leverages XSS and admin-bypass techniques to perform actions such as bypassing logins, toggling plugins, changing settings, creating users, updating core info and installing themes — enabling post-compromise site manipulation and potential data access or distribution.