Hackers Use Gh0st RAT to Hijack Internet Café Systems for Crypto Mining

Hackers have been targeting Internet cafés in South Korea since the second half of 2024, exploiting specialized management software to install malicious tools for cryptocurrency mining.

According to a detailed report from AhnLab SEcurity intelligence Center (ASEC), the attackers, active since 2022, are using the notorious Gh0st RAT (Remote Access Trojan) to seize control of systems, ultimately deploying the T-Rex CoinMiner to mine cryptocurrencies like Ethereum and RavenCoin.

This campaign specifically focuses on systems running Korean Internet café management programs, which are integral for tracking customer usage and calculating fees.

Target South Korean Internet Cafés

Although the exact method of initial access remains under investigation, the scale and precision of these attacks suggest a deep understanding of the targeted software by the threat actors, believed to be linked to Chinese-speaking groups due to Gh0st RAT’s origins with the C. Rufus Security Team.

The attackers deploy a multi-layered arsenal ...