Threat Actors

GhostSec – From Hacktivist to Ransomware Warlord

GhostSec evolved from hacktivist roots into a hybrid ransomware threat, using GhostLocker to target global sectors with encryption, extortion, and high-impact double-extortion campaigns.

Mitchell Langley
September 30, 2025

Table of Contents

Add a header to begin generating the table of contents

Overview

GhostSec emerged in 2015 as a hacktivist offshoot of Anonymous, launching campaigns like #OpISIS and targeting extremist groups. Since late 2022, they’ve pivoted into financially motivated cybercrime through their Ransomware-as-a-Service (RaaS) known as GhostLocker, and in partnership with Stormous, operate double-extortion operations under STMX_GhostLocker. Their toolkit now includes website attack tools like GhostPresser and GhostSec Deep Scan, with activity tied to both hacktivism and profit-driven campaigns.

Known Aliases of GhostSec Ransomware

GhostSecMafia
GSM
Ghost Security
GhostLocker (ransomware name)
STMX_GhostLocker (in collaboration with Stormous)

Country of Origin

Decentralized operations; associated activity and C2 infrastructure (e.g., Moscow-hosted servers) suggest Eastern European ties, but with hacktivist roots in Middle East influence .

Incident Timeline

Date	Event
2015	GhostSec forms as part of Anonymous‑linked hacktivists, launching #OpISIS and counter‑extremism campaigns outpost24.com+5socradar.io+5outpost24.com+5
Jul 2022	Claims compromise of Russian hydro-power ICS (Gusinoozerskaya) and Israeli sewage systems (Or Akiva)
Oct 2023	Launches GhostLocker RaaS v1.0, Python‑based encryptor promoted via Telegram at ~$999 per affiliate
Nov 2023	Releases GhostLocker v2.0 (Golang), adds stealth, watchdog persistence, encryption, exfiltration, RSA/GCM etc.
Jul 2023	Launches STMX_GhostLocker joint RaaS with Stormous, targeting 15+ countries and industries
2023–2024	Broad campaigns across energy, telecoms, education, government sectors globally (Brazil, India, etc.)

⚠️ Indicators of Compromise (IOCs) of GhostSec Ransomware

File Indicators

Extensions: .ghost
Ransom note: Ransomnote.html or similar HTML files
Dropped JSON config files containing 32-byte ID.

C2 Domains/IPs

94.103.91.246 (STMX_GhostLocker v2 Golang)

Malicious File Hashes (SHA-256)

8fa28795e4cd95e6c78c4a1308ea80674102669f9980b2006599d82eff6237b3
8b758ccdfbfa5ff3a0b67b2063c2397531cf0f7b3d278298da76528f443779e9
36760e9bbfaf5a28ec7f85d13c7e8078a4ee4e5168b672639e97037d66eb1d17
a1b468e9550f9960c5e60f7c52ca3c058de19d42eafa760b9d5282eb24b7c55f

Tooling & Artifacts

Dropping to %TEMP%/onefile_%PID%_%TIME% followed by DLLs.
Usage of Nuitka-compiled binaries for stealth uptycs.com
JSON communication payloads to C2 via incrementLaunch.

Processes & Services

Termination of security processes/services
Watching for process restarts (watchdog)

Notable Attacks / Victims of GhostSec Ransomware

OpISIS, OpNigeria, OpLebanon, etc.: original hacktivist campaigns from 2015 onward.
ICS/OT Systems: Claiming disruption of Belarusian train RTUs in 2023.
Israeli Ministry of Defense — Claimed attack in December 2023 by GhostSec targeting critical national defense infrastructure through GhostLocker ransomware.
Indonesia’s National Railway Operator — GhostSec claimed responsibility for disrupting rail operations using ransomware and GhostPresser-based tools in early 2024.
Canadian Energy Supplier — Targeted as part of GhostSec’s critical infrastructure campaign, where ransomware was deployed to disrupt operations and steal data.
Bengaluru-Based Financial Firm — In January 2024, GhostSec affiliates used phishing to access VPN credentials and exploited a vulnerability to exfiltrate 5 million financial and PII records.
Brazilian Government Entity — Targeted in March 2024 during a broader double-extortion campaign; systems were encrypted and sensitive data was leaked online.
Educational Institute in India — GhostLocker ransomware was deployed against a university, locking student data and demanding ransom under the STMX_GhostLocker operation.
Technology Company in Poland — GhostSec exploited exposed web services to deliver ransomware, leaking corporate IP and user data after non-compliance.
Manufacturing Enterprise in South Africa — Ransomware used to halt production systems; exfiltrated blueprints and contracts were published on the GhostLocker leak site.
Telecom Provider in Turkey — Hit by GhostLocker 2.0 with claims of compromised communications infrastructure and stolen subscriber databases.
Real Estate Platform in Morocco — Ransomware attack encrypted all listing data; GhostSec demanded ransom under threat of data auction on the dark web.
Ministry of Education in Vietnam — Systems were encrypted and internal documents stolen, with ransom notes threatening public exposure if payment wasn’t made.
Private Healthcare Firm in Egypt — GhostLocker ransomware used to encrypt EMR systems; attackers claimed to possess over 250,000 patient files.
Industrial Supplier in China — GhostSec targeted a large-scale industrial automation firm using GhostLocker to lock down operational schematics and billing systems.
Qatar-Based Oilfield Services Provider — Attacked via STMX_GhostLocker, resulting in a week-long operational disruption and sensitive project files being leaked.
State Telecom Company in Uzbekistan — Encrypted core network components, resulting in regional service outages and extortion attempts via Telegram.

GhostSec Ransomware MITRE ATT&CK™ Tactics & Techniques

Tactic	Technique	ID
Initial Access	Exploit Public‑Facing Apps	T1190
	Valid Accounts	T1078
Execution	Command & Scripting Interpreter	T1059
Persistence	Create/Modify System Process	T1543
Privilege Escalation	Abuse Elevation Control Mechanism	T1548
Defense Evasion	Obfuscated Files/Information	T1027
	Impair Defenses	T1562
Credential Access	OS Credential Dumping	T1003
Lateral Movement	Remote Services (RDP/SMB)	T1021
Exfiltration	Exfiltration Over Web Service	T1567
Impact	Data Encrypted for Impact	T1486

Malware Strains Used by GhostSec Ransomware

GhostLocker v1: Python-based initial ransomware.
GhostLocker 2.0: Golang rewrite; features AES-128 encryption, process termination, stealth via antivirus evasion, and affiliate-controlled builder panels socradar.io+1thehackernews.com+1.
StormousX ransomware: Used in joint RaaS operations.
GhostPresser: Tool for XSS and website compromise.
GhostSec Deep Scan: Toolset for scanning target environments malpedia.caad.fkie.fraunhofer.de+10socradar.io+10blog.talosintelligence.com+10.

Common Methods of Infiltration Used by GhostSec Ransomware

Initial access via public-facing web vuln exploitation (e.g., WordPress, APIs).
Leverage valid credentials for authenticated access.
Builder-controlled payloads allowing customization and pre-attack targeting.
Process termination of security tools before encryption.
Remote services for lateral movement and data exfiltration.
Website-targeting tools like XSS injection for data collection or initial foothold dailysecurityreview.com.

Additional Intelligence about GhostSec Ransomware

Organizational Shift: In May 2024, GhostSec announced handing over GhostLocker to Stormous and returning to pure hacktivism, leveraging ransom profits to fund political operations reddit.com+14cybernews.com+14thecyberexpress.com+14.
Membership: Founder of Five Families collective (with ThreatSec, Stormous, Blackforums, SiegedSec); SiegedSec was removed late 2023 cybernews.com+4zerofox.com+4thehackernews.com+4.
Funding Model: Subscription-based premium channel, affiliate commissions, and ransomware income provide layered monetization outpost24.com.

Trending

Daily Briefing Newsletter

Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.