analyst @ nohacky :~/threat-actors $
cat / threat-actors / ghostsec
analyst@nohacky:~/ghostsec.html
active threat profile
type hacktivism
threat_level high
status active
origin Unknown — decentralized
last_updated 2025-03-27
GS
threat-actor / hacktivism / cybercrime-overlap

GhostSec

also known as: Ghost Security GhostSecMafia GSM

GhostSec began in January 2015 as an Anonymous offshoot targeting ISIS websites after the Charlie Hebdo attacks — passing intelligence on planned terrorist attacks to law enforcement. By 2023 the group had pivoted into ransomware operations, developing GhostLocker RaaS and conducting double-extortion campaigns across more than 15 countries in partnership with Stormous. In May 2024 GhostSec announced a return to pure hacktivism, transferring GhostLocker to Stormous, claiming it had gathered sufficient funds to sustain future operations.

attributed origin Unknown — decentralized; C2 infrastructure linked to Moscow
suspected sponsor Independent — ideological and financial motivation
first observed 2015
primary motivation Hacktivism (political); Financial (ransomware phase 2023–2024)
primary targets Critical infrastructure, government, technology, energy, rail
known campaigns Confirmed activity in 15+ countries
collective affiliation The Five Families (founder); Anonymous (historical)
target regions Global — Middle East, Asia, Americas, Europe, Africa
threat level High

Overview

GhostSec emerged in January 2015 as a hacktivist collective affiliated with Anonymous, originally formed in direct response to the Charlie Hebdo terrorist attacks in Paris. The group gained international attention for its campaigns against ISIS online infrastructure, claiming to have taken down hundreds of ISIS-associated websites and social media accounts, and reportedly passing intelligence on planned attacks to law enforcement agencies. This counterterrorism posture established the group's early reputation as a vigilante cybersecurity force rather than a conventional threat actor.

The group's ideology began shifting in subsequent years. GhostSec expanded its operations beyond counterterrorism into broader politically motivated campaigns including #OpLebanon, #OpNigeria, #OpMyanmar, #OpEcuador, #OpColombia, and sustained attacks against Israeli infrastructure in response to alleged war crimes in Gaza. Alongside this hacktivist activity, the group began monetizing its Telegram presence through a subscription-based "GhostSec Mafia Premium" channel offering data leaks and hacking tutorials, signaling a growing interest in revenue generation.

The group's clearest ideological shift came in 2023 when GhostSec launched GhostLocker, a ransomware-as-a-service platform, and formalized a partnership with the Stormous ransomware group. Together they conducted double-extortion attacks across more than 15 countries under the joint RaaS brand STMX_GhostLocker. In May 2024, GhostSec's leader Sebastian Dante Alexander publicly announced that the group was stepping back from ransomware operations, handing GhostLocker's management to Stormous, and returning its focus to politically motivated hacktivism. The group stated this decision was made possible by funds accumulated through ransomware and database sales.

Despite this announcement, GhostSec remains active in hacktivist operations. Forescout's 2025 threat research noted GhostSec among groups targeting Israeli programmable logic controllers (PLCs) linked to media and water systems. The stated retirement from cybercrime does not eliminate the threat the group poses, given its demonstrated willingness to shift operational posture and its continued targeting of critical infrastructure.

attribution note

Cisco Talos and SOCRadar note that GhostSec's name resembles the Ghost Security Group, a separate counterterrorism-focused collective. The Ghost Security Group has publicly stated that another actor mimics their identity. Analysts should distinguish between the two when reviewing historical reporting.

Target Profile

GhostSec's targeting reflects both its hacktivist ideology and its ransomware-phase financial objectives. Politically motivated targeting centers on Israeli infrastructure, government entities associated with perceived oppression, and organizations in countries connected to GhostSec's operational campaigns. Ransomware-phase targeting was broader and sector-agnostic.

  • Critical Infrastructure: Israeli industrial systems, water treatment PLCs, and media infrastructure have been targeted repeatedly. GhostSec claimed disruption of a Belarusian train RTU system in 2023 using ransomware, and claimed an attack on Israel's Ministry of Defense in December 2023.
  • Transportation: Indonesia's national railway operator was targeted in early 2024 using GhostPresser-based tools alongside ransomware. Disruption of rail operations was claimed.
  • Energy: A Canadian energy supplier was targeted as part of GhostSec's critical infrastructure campaign, with ransomware deployed to disrupt operations and steal data.
  • Finance: A Bengaluru-based financial firm had approximately 5 million financial and PII records exfiltrated in January 2024 after phishing was used to access VPN credentials.
  • Government: Brazilian government entities were targeted in March 2024 during a double-extortion campaign. A Vietnamese Ministry of Education was also targeted with ransomware and data theft.
  • Energy and Oil: A Qatar-based oilfield services provider was attacked via STMX_GhostLocker, resulting in operational disruption and sensitive project file leaks.
  • Healthcare: A private healthcare firm in Egypt had GhostLocker deployed against its EMR systems, with attackers claiming possession of over 250,000 patient files. The group's leadership stated GhostLocker was not intended to be used against healthcare providers, though this claim is unverified in practice.

Tactics, Techniques & Procedures

GhostSec's TTPs span both its hacktivist and ransomware phases. The group uses a combination of web application attacks, phishing, double extortion, and OT disruption claims.

mitre id technique description
T1566.001 Phishing: Spearphishing Attachment Used in initial access phase; phishing was used to obtain VPN credentials in the January 2024 Bengaluru financial firm attack.
T1190 Exploit Public-Facing Application GhostSec Deep Scan toolset performs recursive vulnerability scanning of target web infrastructure to identify exploitable weaknesses prior to attack.
T1059 Command and Scripting Interpreter GhostLocker uses Windows Start command to launch ransom notes and arbitrary command execution to kill scheduled tasks and bypass UAC.
T1486 Data Encrypted for Impact GhostLocker 2.0 encrypts target files appending the .ghost extension, skipping C:\Windows, using Fernet symmetric encryption (AES-128 CBC with PKCS7 padding).
T1048 Exfiltration Over Alternative Protocol GhostLocker 2.0 exfiltrates target files to a C2 server prior to encryption, enabling double-extortion leverage.
T1562.001 Impair Defenses: Disable or Modify Tools GhostLocker terminates processes and scheduled tasks defined in its configuration to evade detection before encryption begins.
T1498 Network Denial of Service GhostSec conducts DDoS attacks against targets as part of hacktivist campaigns, including attacks on Israeli infrastructure.
T1491.002 Defacement: External Defacement Website defacement with political messages (e.g., "Free Palestine") is used as a signature hacktivist action against Israeli targets.
T1059.007 JavaScript / XSS GhostPresser tool performs cross-site scripting attacks against target websites, likely used in combination with GhostSec Deep Scan reconnaissance results.
T1547 Boot or Logon Autostart Execution GhostLocker RaaS builder includes configurable persistence options allowing the ransomware binary to establish persistence on victim machines after initial execution.

Known Campaigns

#OpISIS / #OpParis — Anti-Terrorism Operations 2015 — 2016

GhostSec's founding campaign. Following the Charlie Hebdo attacks, the group coordinated with Anonymous to take down hundreds of ISIS-affiliated websites and social media accounts. The group claims to have passed intelligence on planned attacks to law enforcement. This campaign established GhostSec's public identity as a counterterrorism collective and generated significant media coverage.

Israeli Infrastructure Campaign 2022 — Present

Sustained campaign of website defacement, data leaks, DDoS attacks, and ransomware deployment against Israeli government entities, technology companies, and industrial systems. GhostSec claimed an attack on Israel's Ministry of Defense in December 2023 using GhostLocker. In 2025, Forescout identified GhostSec among groups targeting Israeli PLCs connected to water and media systems.

GhostLocker RaaS Launch and Stormous Partnership Oct 2023 — May 2024

GhostSec launched GhostLocker in October 2023, initially written in Python. In November 2023 GhostLocker 2.0 was released, re-engineered in Golang with enhanced evasion, cross-platform support for Windows, Linux, and VMware, and a web-based affiliate builder. In February 2024, Stormous and GhostSec formally launched STMX_GhostLocker, a joint RaaS program with three affiliate tiers including a free entry option and a PYV (Publish Your Victim) service. The program's TOR-hosted blog displayed a highest listed ransom of $500,000 USD.

STMX_GhostLocker Double-Extortion Wave 2023 — 2024

Joint double-extortion attacks conducted alongside Stormous against organizations in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkey, Egypt, Vietnam, Thailand, and Indonesia. Confirmed vertical targets include government, rail, energy, healthcare, finance, manufacturing, and telecommunications. The Bengaluru financial firm breach (January 2024) resulted in 5 million records exfiltrated. A Brazilian government entity was encrypted in March 2024.

Return to Hacktivism — GhostLocker Transfer to Stormous May 2024

On May 15, 2024, GhostSec announced via Telegram that it was withdrawing from ransomware operations and returning to hacktivism. The group stated it had gathered sufficient funds and transferred GhostLocker's source code, management, and affiliate clients to Stormous. Stormous continued operating GhostLocker and subsequently launched the Stormous RaaS program as a continuation. GhostSec's leader stated future hacktivist targets would include Israeli corporations, government agencies, and Mexican cartel data exposure.

Tools & Infrastructure

GhostSec developed a suite of custom offensive tools across both its hacktivist and ransomware phases, representing a meaningful investment in technical capability.

  • GhostLocker (v1): Initial ransomware written in Python using PyInstaller and Nuitka packaging. Dropped files and spawned child processes to perform encryption. Launched October 2023.
  • GhostLocker 2.0: Golang rewrite released November 2023. Uses Fernet symmetric encryption (AES-128 in CBC mode with PKCS7 padding). Appends .ghost extension to encrypted files. Exfiltrates data to C2 before encrypting. Drops an HTML ransom note (Ransomnote.html) to the victim desktop. Skips C:\Windows during encryption. C2 server observed at IP 94[.]103[.]91[.]246, located in Moscow, Russia.
  • GhostLocker RaaS Builder: Web-based builder offered to affiliates with configurable options including persistence mode, target directories, process kill lists, UAC bypass, and scheduled task termination. Marketed as enterprise-grade at $1,199 for v2.
  • GhostSec Deep Scan: Python-based web reconnaissance utility that recursively scans target websites to collect information and identify vulnerabilities. Used in preparation for web-based attacks.
  • GhostPresser: Cross-site scripting (XSS) tool used to compromise websites, particularly those running popular CMS platforms. Likely used in conjunction with Deep Scan in the Indonesia rail and Canada energy attacks.
  • STMX_GhostLocker Affiliate Platform: TOR-hosted blog and affiliate portal jointly operated with Stormous. Provided affiliate onboarding, victim data publication, and a dashboard tracking encryption status across active infections.

Indicators of Compromise

The following indicators are derived from Cisco Talos and SOCRadar research on GhostLocker 2.0 campaigns. GhostSec's infrastructure changes frequently. Verify currency before operational use.

warning

GhostLocker's management was transferred to Stormous in May 2024. IOCs associated with GhostLocker C2 infrastructure may now reflect Stormous operations rather than GhostSec directly. Cross-reference with Stormous RaaS IOC feeds when investigating active incidents.

indicators of compromise — GhostLocker 2.0
ip (c2) 94[.]103[.]91[.]246 — GhostLocker 2.0 C2 server, Moscow, Russia (Talos, 2024)
file extension .ghost — appended to all files encrypted by GhostLocker 2.0
ransom note Ransomnote.html — dropped to victim desktop and launched via Windows Start command
behavioral Process termination and scheduled task kill actions executed prior to encryption; C:\Windows directory excluded from encryption scope
language Golang binary (GhostLocker 2.0); Python utility (GhostSec Deep Scan, GhostLocker v1)

Mitigation & Defense

GhostSec's hybrid attack profile — combining web application exploitation, phishing-based initial access, ransomware deployment, and OT targeting — requires layered defensive coverage across multiple control domains.

  • Web Application Protection: Deploy a web application firewall (WAF) tuned to detect XSS payloads. GhostSec's GhostPresser tool relies on XSS to compromise web-facing targets; WAF rules and CMS hardening reduce exposure. Regularly patch CMS platforms (WordPress, Joomla, etc.) targeted by web-scanning tooling like GhostSec Deep Scan.
  • Phishing-Resistant Authentication: The Bengaluru breach was initiated by phishing for VPN credentials. FIDO2/WebAuthn hardware keys for VPN and remote access accounts prevent credential theft from phishing. Where hardware keys are not feasible, enforce MFA on all remote access with conditional access policies that flag unfamiliar device or location logins.
  • Ransomware Resilience: Maintain immutable, offline backups of critical systems on a tested recovery schedule. GhostLocker 2.0 exfiltrates data before encrypting, meaning backup restoration alone does not resolve the extortion threat — data leak prevention and egress monitoring are equally important.
  • Process and Task Monitoring: GhostLocker terminates processes and scheduled tasks defined in its configuration before encrypting. Alert on bulk process termination events, especially when followed by high-volume file I/O activity consistent with encryption. EDR with behavioral detection is more reliable than signature-based AV for this pattern.
  • OT and ICS Segmentation: GhostSec has claimed attacks against PLCs and RTUs. Segment OT networks from corporate IT environments. Apply the principle of least privilege to any OT-facing remote access. Monitor for anomalous commands on ICS protocols (Modbus, DNP3) using dedicated OT security monitoring tools.
  • Threat Intelligence Monitoring: GhostSec communicates campaign activity and victim claims through Telegram. Monitoring relevant Telegram channels and data leak sites provides early warning of targeting intentions and can shorten response timelines for affected organizations.
  • Incident Response Planning: Given the group's double-extortion model, incident response plans should include pre-defined procedures for managing data exfiltration disclosures, including legal notification timelines, external communications, and engagement with law enforcement.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — ghostsec — last updated 2025-03-27