On January 25, 2024, MalwareBytes reported a newly identified campaign targeting Chinese users with trojanized Telegram and LINE applications via malvertising through Google ads. The MalwareBytes investigation reportedly linked some of the ad profiles to accounts in Nigeria.
The campaign delivers a malware payload in MSI format, targeting Windows users. The payload is consistent with Gh0st RAT, suggesting the campaign is likely espionage-related. Interestingly enough, as the MalwareBytes report notes, Telegram is banned in China, and users need a VPN to access Google pages with .hk top-level domains to view the ads.
The usage of Gh0st RAT has been historically associated with China-nexus actors, including Hurricane Panda, APT41, and APT27 ("Emissary Panda"), suggesting a China-sponsored internal surveillance operation.