top of page
  • Clipeus

Malvertising Targets Chinese Users

On January 25, 2024, MalwareBytes reported a newly identified campaign targeting Chinese users with trojanized Telegram and LINE applications via malvertising through Google ads. The MalwareBytes investigation reportedly linked some of the ad profiles to accounts in Nigeria.

The campaign delivers a malware payload in MSI format, targeting Windows users. The payload is consistent with Gh0st RAT, suggesting the campaign is likely espionage-related. Interestingly enough, as the MalwareBytes report notes, Telegram is banned in China, and users need a VPN to access Google pages with .hk top-level domains to view the ads.

The usage of Gh0st RAT has been historically associated with China-nexus actors, including Hurricane Panda, APT41, and APT27 ("Emissary Panda"), suggesting a China-sponsored internal surveillance operation.


Les commentaires ont été désactivés.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page