Gh0stCringe target

Researchers have identified that the actors behind the Gh0stCringe remote access trojan are targeting Microsoft SQL and MySQL database servers. Gh0stCringe, which is thought to be active since 2018, is a known variant of Gh0st RAT malware.

A recent report from AhnLab indicated that the threat performers behind Gh0stCringe, aka CirenegRAT, are targeting relational databases hosted on vulnerable devices. The malware targets weakly configured database servers, including Microsoft SQL and MySQL servers, with easy to crack passwords. It uses the genuine processes sqlserver.exe, mysqld.exe, and mysqld-nt.exe to create a new malicious executable mcsql.exe.

Moreover, researchers have identified multiple malware samples such as KingMiner and Vollgar CoinMiner—on the targeted servers. This implies that several threat actors may be hunting the vulnerable serve to drop their payloads.

Gh0stCringe is a malicious RAT that connects to a C&C server, allowing the attacker to perform various activities, depending on the configured data. The malware allows the attack to connect to a URL using Internet Explorer, destroy the Master Boot Record (MBR), register run keys, and terminate the host system. Additionally, it steals the database stored on the clipboard, collects Tencent-related data from the targeted machine, and performs keylogging.

It can perform various self-control tasks (such as update, uninstall), system control (rebooting NIC), and additional module control. Gh0stCringe malware supports multiple operations modes, namely mod 0, 1, 2, and Windows 10 mod. Each of these mods helps communicate with the C&C server, with some slight variation in their persistence-related features.


To stay protected from such threats, researchers recommend using passwords that are difficult to guess and periodic updates of these passwords to prevent brute-force attacks. Frequently patching the servers exposed to the internet and using additional security layers such as firewalls further help defend such attacks.