Threat Intelligence Report: GHOST RAT C2 Infrastructure Investigation
TLP:CLEAR — This report may be freely shared without restriction.
Report Metadata
| Field | Details |
|---|---|
| Report ID | SDI-2025-002 |
| Date | March 5, 2025 |
| Analyst | Sam Dalgleish (CyberFrenchie) |
| Threat Category | Remote Access Trojan (RAT) |
| Primary IOC | 122.199.149.129 |
| Confidence Level | Medium |
| Classification | TLP:CLEAR |
1. Executive Summary
This report documents an investigation into a suspected GHOST RAT command-and-control (C2) infrastructure node centred on IP address 122.199.149.129. The IP is registered to KX NexG Co., Ltd. in Seoul, South Korea, and has been flagged by security vendors as potentially linked to GHOST RAT activity.
Geolocation data is consistent across all sources, confirming South Korean hosting. The absence of open port data from Shodan suggests the infrastructure may be operating with a low exposure profile, consistent with concealed C2 activity. VirusTotal reports 11 of 94 vendors flagging the IP as malicious.
2. Threat Background
GHOST RAT (also known as Gh0st RAT) is a well-documented remote access trojan with origins traced to Chinese-speaking threat actors, first observed around 2008. It has since been widely adopted and modified by multiple threat groups globally.
Key capabilities:
- Full remote system control
- Real-time screen capture and keylogging
- Microphone and webcam access
- File system access and data exfiltration
- Encrypted C2 communications
- Persistence via registry and service modifications
GHOST RAT has been used in both targeted espionage campaigns and opportunistic cybercrime operations, making attribution to a single actor difficult.
3. Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
122.199.149.129 |
IP Address | Suspected GHOST RAT C2 infrastructure |
bb7f474008142e7f8a81dfd3bb121b99e23bc262c2ef34c83cd33cc3db5f5509 |
SHA-256 | GHOST RAT sample linked to this IP |
nexg.net |
Domain | Domain associated with the hosting infrastructure |
4. Infrastructure Analysis
4.1 WHOIS
| Field | Value |
|---|---|
| IP | 122.199.149.129 |
| Organisation | KX NexG Co., Ltd |
| Country | South Korea |
| Abuse Contact | irt@nic.or.kr (KRNIC) |
The IP falls within a range allocated to KX NexG Co., Ltd., a South Korean company. The abuse contact routes through KRNIC (Korean Network Information Center), the national internet registry.
4.2 Shodan
| Field | Value |
|---|---|
| Location | Seoul, South Korea |
| Organisation | KX NexG Co., Ltd |
| Open Ports | None identified |
The absence of open port data is notable. This could indicate the host is firewalled, temporarily offline, or deliberately limiting its exposure — a pattern consistent with C2 infrastructure attempting to avoid detection.
4.3 Geolocation Analysis
| Source | Location |
|---|---|
| Shodan | Seoul, South Korea |
| IPInfoDB | Seoul, South Korea |
| WHOIS | South Korea |
Unlike the Remcos investigation, geolocation is fully consistent across all three sources. This reduces the likelihood of a VPN exit node and increases confidence that the infrastructure is genuinely South Korea-based. However, South Korean infrastructure is commonly co-opted or rented by external threat actors.
5. Malware Analysis
5.1 Sample Details
| Field | Value |
|---|---|
| SHA-256 | bb7f474008142e7f8a81dfd3bb121b99e23bc262c2ef34c83cd33cc3db5f5509 |
| File Type | DLL |
| MD5 | Not available |
| SHA-1 | Not available |
| Analysis Date | March 5, 2025 |
5.2 Behavioural Indicators
Based on VirusTotal analysis and known GHOST RAT behaviour:
- Remote Access — IP assessed as C2 endpoint for remote control of compromised hosts
- Data Exfiltration — Malware capable of extracting files and credentials from infected systems
- Persistence — Registry modifications consistent with maintaining long-term access
- Detection Rate — 11/94 vendors on VirusTotal flagging as malicious (low-moderate detection)
The low detection rate (11/94) may indicate a modified or less common variant, or that the sample is not widely circulated enough to have broad signature coverage.
6. Attribution Assessment
| Assessment | Confidence |
|---|---|
| IP is part of GHOST RAT C2 infrastructure | Medium |
| KX NexG Co., Ltd. is complicit | Low |
| Infrastructure operated by external threat actor using South Korean hosting | Medium |
The South Korean hosting does not indicate a South Korean threat actor. GHOST RAT has historically been used by Chinese-speaking APT groups, and South Korean data centres are frequently leveraged by external actors as a relay or hosting point.
7. Recommended Actions
- Block IP
122.199.149.129and domainnexg.netat perimeter - Scan endpoints for the identified SHA-256 hash using EDR/XDR tooling
- Monitor outbound traffic for connections to this IP
- Report abuse to irt@nic.or.kr (KRNIC)
- Continue monitoring — the low open port exposure suggests this may be an active but intentionally quiet C2 node
8. Confidence Assessment
Overall Confidence: Medium
Corroborated across ThreatFox, Shodan, VirusTotal, and IPInfoDB. Confidence is capped at Medium due to limited malware sample data (no MD5/SHA-1, unknown file analysis environment) and the low VirusTotal detection rate, which leaves open the possibility of a false positive or benign infrastructure misattribution.