23.12.2025
12 min
1
477
The article examines the renewed activity of the GhostSec group and the emergence of GhostLocker 2.0, a modern ransomware strain that combines data encryption with pressure on victims through information leaks. It explains the broader threat landscape, the attackers’ overall approach, and why this campaign has drawn the attention of cybersecurity analysts, without revealing technical details upfront.
Over the past year, the activity of the hacker group GhostSec has increased noticeably. The group has evolved by introducing a new version of its encryptor, GhostLocker 2.0. This is ransomware written in the Go programming language, representing a continuation of earlier GhostLocker variants.
GhostSec does not operate alone. Together with the Stormous group, they carry out attacks using a double extortion model. During such campaigns, victims’ data is not only encrypted but also stolen, allowing attackers to pressure companies with threats of public data disclosure. These attacks target businesses across various industries and countries.
In addition, GhostLocker and Stormous launched a joint ransomware as a service program called STMX_GhostLocker. It offers partners different participation models, ranging from full use of the encryptor to separate collaboration formats for affiliated actors.
As part of this activity, the group also uses new tools to attack websites. These include the GhostSec Deep Scan tool, which is used for analysis and reconnaissance of web resources, and GhostPresser, a tool likely intended for compromising websites, particularly those running popular CMS platforms.
According to publications by the attackers themselves in Telegram channels and on their data leak site, the victims include organizations from the following countries: Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand, and Indonesia.
As a result of the joint campaign, companies from various business sectors were affected, as the attackers reported in their Telegram channels.
In GhostSec’s Telegram publications, a consistent focus can be observed on attacks targeting industrial systems, critical infrastructure, and technology companies in Israel. On November 12, 2023, the group also claimed that one of the affected entities was allegedly the Israeli Ministry of Defense.
GhostSec is a hacker group that presents itself in its Telegram channels as one of the so called “modern five families,” alongside ThreatSec, Stormous, Blackforums, and SiegedSec. The group is clearly financially motivated and carries out both single and double extortion attacks against victims in multiple countries. According to its own statements, it has also conducted denial of service (DoS) attacks and taken down victims’ websites. In its communications, the group claims that its primary goal is to raise funds for hacktivists and malicious actors through cybercriminal activity.
The name GhostSec resembles that of the well known hacktivist group Ghost Security Group, which primarily focused on counterterrorism efforts and attacks against pro ISIS resources. At the same time, Ghost Security Group has stated in its blog that another hacker group has been impersonating its identity.
In October 2023, GhostSec announced the launch of a new ransomware as a service platform called GhostLocker. Following successful joint operations with the Stormous group in July 2023 against Cuban ministries, Stormous stated on October 14, 2023 that, alongside its own StormousX program, it would also use the GhostLocker ransomware.
Since then, GhostSec and Stormous have jointly carried out double extortion attacks targeting companies across various business sectors in many countries. Alongside ransomware campaigns, GhostSec is also believed to have conducted attacks against corporate websites, including the website of Indonesia’s national railway operator and one of Canada’s leading energy companies. The compromise of these resources may have involved the GhostPresser tool in combination with cross site scripting (XSS) techniques.
On February 24, 2024, the Stormous group announced in its Telegram channel “The Five Families” the launch of a new ransomware as a service program called STMX_GhostLocker, developed jointly with partners from GhostSec. The program offers three service categories for affiliates: a paid option, a free option, and a separate format for non affiliated actors who only want to sell or publish stolen data on their own blogs, referred to as the PYV service.
In its Telegram channels, the group published diagrams of the working model for affiliated participants and individuals not included in the program.
Stormous and GhostSec launched a new official blog for their RaaS program, Stmx_GhostLocker, on the TOR network. The site includes functionality for affiliate onboarding and for publishing victims’ data. The blog’s control panel displays the number of affected organizations and disclosed leaks, with links to the leaked data. It also lists a highest reported ransom of 500,000 US dollars, although there is no confirmation that this is actually the largest amount they have received.
In November 2023, GhostSec announced the release of a new version of its encryptor called GhostLocker 2.0. Shortly afterward, the group resumed promoting the current Golang based version under the name GhostLocker V2, while also stating that work on GhostLocker V3 was already underway. This indicates continuous development and ongoing improvement of their ransomware toolset.
GhostLocker 2.0 encrypts files on the victim’s system, appending the extension “.ghost” to them, and then creates and automatically opens a ransom message. The new version has changed the text of the note: the operator asks to save the encryption ID displayed in the message and transmit it during chat conversations by clicking the “Click me” button. It also states that the stolen data will be made public if the victim does not contact them within seven days.
GhostLocker, when offered in a ransomware as a service model, includes a centralized C2 control panel where affiliated actors can view information about their attacks and the revenue they have generated. After execution on a victim’s system, the ransomware binaries register themselves with this C2 panel, allowing operators to monitor the encryption status of the compromised machine.
For GhostLocker 2.0, a C2 server with the IP address 94[.]103[.]91[.]246 was identified, located in Moscow, Russia. The geolocation of this server matches the C2 infrastructure used by earlier versions of GhostLocker, which had previously been reported by cybersecurity researchers.
GhostLocker, in its ransomware as a service model, provides affiliates with a ransomware builder that includes a set of configurable parameters. It allows operators to define persistence mechanisms after successful execution on a victim’s system, select directories to be encrypted, and apply defense evasion techniques. These include terminating specific processes or services, executing arbitrary commands to remove scheduled tasks, and bypassing User Account Control (UAC).
The new version of the GhostLocker ransomware, called GhostLocker 2.0, was observed in real world attacks on November 15, 2023. Most of the functional capabilities of GhostLocker 2.0 were carried over from the previous GhostLocker version written in Python. The main differences include the absence of a watchdog component, which earlier versions used to relaunch the encryptor from the Windows startup directory, and a change in the AES encryption key length from 128 bits in the older version to 256 bits.
During its initial execution, GhostLocker 2.0 copies itself to the Windows startup folder to establish persistence. The stored copy uses a randomly generated 32 byte string as the file name within the startup directory.
After securing the system, the ransomware establishes a connection to the C2 server at the URL hxxp[://]94[.]103[.]91[.]246[/]incrementLaunch.
After successfully establishing a connection with the C2 server, the ransomware generates a secret key and an encryption identifier, collects the victim’s IP address, the infection date, and other data from its configuration parameters, including the encryption status, ransom amount, and a unique victim identifier. It then creates a JSON file in the memory of the infected system.
The generated JSON file is sent to the C2 server at the URL hxxp[://]94[.]103[.]91[.]246[/]addInfection to register the victim’s system infection in the C2 panel.
After the victim’s system infection is registered in the C2 panel, the ransomware attempts to terminate specific processes, services, or scheduled Windows tasks defined in its configuration parameters in order to evade detection.
GhostLocker 2.0 searches for target files on the victim’s system based on a list of file extensions defined by the attacker. Before encryption begins, the files are exfiltrated to the C2 server via the URL hxxp[://]94[.]103[.]91[.]246[/]upload using HTTP POST requests. In the analyzed GhostLocker 2.0 sample, the ransomware was configured to steal and encrypt files with the extensions .doc, .docx, .xls, and .xlsx.
After successful data exfiltration, GhostLocker 2.0 encrypts the target files and appends the “.ghost” extension to them. During the encryption process, the ransomware skips the C:\Windows directory. Once encryption is complete, the malware creates an embedded ransom note in the form of an HTML file named Ransomnote.html on the victim’s desktop and opens it using the Windows Start command.
GhostSec has at least two tools that the group associates with the compromise of legitimate web resources. The first is the GhostSec Deep Scan toolset, designed for recursive website scanning. The second is a tool used to carry out cross site scripting (XSS) attacks called GhostPresser.
The GhostSec Deep Scan toolset is a Python based utility that attackers can use to scan websites of potential targets in order to collect information and identify vulnerabilities.
The tool includes multiple modules designed to perform the following types of scanning on target websites:
searching based on user defined parameters
scanning multiple websites simultaneously
extracting hyperlinks from website pages
deep scanning with analysis of the technologies used to build the web pages
checking security protocols with detection of SSL/TLS and HSTS (HTTP Strict Transport Security)
analyzing website content with data export to a file
performing Whois queries
checking for broken links on the website
The code also contains placeholders for additional functionality, including SSL analysis, DNS queries, checks of robots.txt and sitemap.xml files, searches for known vulnerabilities (CVE) on the target website, and advanced searches by file type, date range, and custom criteria. This indicates ongoing development of GhostSec’s toolset.
Particular attention is drawn to the deep_scan module, which is used for parsing and collecting information from web pages and identifying the technologies in use. For this purpose, Python libraries such as Beautiful Soup for HTML and XML parsing and BuiltWith for detecting technologies used on a site, such as Apache, jQuery, or WordPress, are employed.
GhostPresser is a tool designed to bypass administrative access and compromise the WordPress content management system. It is a shell script that, according to GhostSec’s claims, was used during an XSS attack against a legitimate website in Canada. The tool is still under development, as several placeholders for future website auditing functions were identified in its code. At present, it is unclear which specific types of audits the attackers plan to integrate into this tool.
After GhostPresser is successfully deployed on a target WordPress website, an attacker can perform the following actions:
bypass login mechanisms and carry out auxiliary actions, including cookie checks
activate and deactivate plugins
modify WordPress settings
create new users
update WordPress core information
install new themes
Below is an example of a function in GhostPresser that is used to install new themes in WordPress.
A function for installing a new WordPress theme.
GhostSec has long moved beyond hacktivism and has effectively transformed into a full scale cybercriminal structure with clear financial motivation. The launch of GhostLocker 2.0 and a joint RaaS platform with Stormous demonstrates a systemic approach, ranging from website compromise and reconnaissance to data encryption and public pressure on victims.
The greatest danger lies not only in the encryptor itself, but in the ecosystem surrounding it, including partner programs, tools for website compromise, and the global geography of attacks. This makes GhostSec and GhostLocker 2.0 a real threat to businesses, critical infrastructure, and organizations in different countries, regardless of their size or industry.
