Understanding GHOSTPULSE Malware Loader

Nicholas Koken
April 2, 2024

The cybersecurity threat landscape is ever-evolving, which means you need your security posture as up-to-date as possible to keep pace with new and emerging threats. One such threat is GHOSTPULSE, a malware loader strain targeting Windows machines that emerged in late 2023. Let’s dive into GHOSTPULSE, how it works, and how you can keep your organization ahead of it.


GHOSTPULSE is used by threat actors to download malware payloads onto devices. It leverages [.]MSIX application files to pass unnoticed, as MSIX is a format usually leveraged by developers to download and update legitimate applications (typically utilized in the Windows Store). Usually, the MSIX packaging format requires certificate code access as a layer of security, but certificates can be stolen or otherwise obtained by threat actors beforehand.

With GHOSTPULSE, the attacker tricks the end user with methods such as search engine optimization (SEO) poisoning or malvertising into downloading the loader as if it were some form of legitimate or pirated software. Then, once on the system, GHOSTPULSE downloads prominent malware strains such as SectopRAT, NetSupport RAT, or Vidar, a banking trojan. As a loader, it can be further used to download other malware and establish persistence within a system or even across multiple systems.

From the user’s perspective, it pops up an install window for the “software” the user believes they are downloading, and then ingeniously, actually installs the legitimate software while malicious PowerShell scripts in the background silently install the malware. This adds an extra layer of trust, tricking the user into thinking nothing is amiss. You can see an example of what happens in the background in the demo below:

Three stages of GHOSTPULSE

Through a combination of malicious PowerShell scripts, memory modification, process injection, and DLL sideloading, GHOSTPULSE is built to completely evade simple antivirus solutions. It accomplishes this through three distinct stages. Watch the video above to learn about each stage, which each utilize complex processes to run unnoticed on a system.

After each of the three stages are carried out, GHOSTPULSE infects the system with its strain of malware. There are many variations of legitimate applications that GHOSTPULSE obfuscates itself behind, and there are also multiple strains of malware that can be loaded depending on the version. After the malware is successfully and discreetly installed, GHOSTPULSE continues to lie low in the background, ready to download more malware either while or after the first is being discovered.

How Todyl addresses GHOSTPULSE

One of the core features of Todyl’s managed cloud SIEM and Endpoint Security modules is their ability to detect when malicious PowerShell scripts are run. Todyl can identify anomalous behaviors such as process injection, DLL sideloading, memory modifications, and more to prevent multiple stages of GHOSTPULSE.  

Our Detection Engineering and MXDR teams have created multiple detections to proactively detect, prevent, and uncover the effects of GHOSTPULSE in real time. If the MXDR team notices evidence of GHOSTPULSE on your systems, they can act immediately with your team or on your behalf to terminate processes, isolate hosts, and remediate issues.

Learn more

See how Todyl can help you defend in depth against GHOSTPULSE and many other prominent attack vectors. Book a demo today.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I Joined Todyl: Spotlight on David Dewey
How Todyl addresses the "Pandemic 11"
Understanding AMSI bypass techniques

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.