GhostSec

Background

GhostSec (Ghost Security) is a decentralized hacktivist collective with a complex and evolving operational history. The group originally emerged in 2015 as an anti-ISIS hacktivist organization, identifying and reporting Islamic State online accounts, websites, and communication infrastructure to law enforcement and platform providers. This early iteration was viewed favorably by Western governments and worked with Interpol and the FBI to disrupt ISIS digital propaganda networks.

However, GhostSec has undergone significant ideological and operational shifts. By 2019-2020, portions of the collective pivoted toward broader anti- authoritarian hacktivism, and by 2023, GhostSec was conducting operations against Israeli and Western targets in response to the Israel-Hamas conflict, collaborated with other hacktivist groups, and released GhostLocker — a ransomware-as-a-service tool — representing a significant shift from pure hacktivism toward cybercriminal activity.

The group's decentralized structure means different factions operate under the GhostSec name with varying motivations and technical capabilities. The development and release of GhostLocker ransomware in 2023 marked a crossing of the line from hacktivism to criminal enterprise, attracting renewed law enforcement attention and separating GhostSec from the legitimate counter- extremism roots of its founding.

Notable Campaigns

ISIS Infrastructure Disruption (2015-2018): In its founding phase, GhostSec claimed to have identified and reported over 1,000 ISIS websites and 149,679 social media accounts. The group worked with law enforcement and platform trust and safety teams to suspend ISIS digital infrastructure, contributing to the broader counter-ISIS information campaign during the height of the Islamic State's territorial expansion.

Operation Middle East (2023): Following the October 7, 2023 Hamas attack on Israel and subsequent Israeli military operations in Gaza, GhostSec conducted DDoS attacks and data breach operations against Israeli organizations, government portals, and Western companies perceived as supporting Israel. The group collaborated with other pro-Palestinian hacktivist collectives during this period.

GhostLocker Ransomware Release (October 2023): GhostSec released GhostLocker, a ransomware-as-a-service tool, targeting Israeli and other organizations. The release represented a significant escalation from DDoS and defacement to destructive ransomware operations, attracting CISA advisory coverage.

Industrial Control System Attacks (2023): GhostSec claimed attacks against industrial control systems in Israel, including water treatment facilities and industrial automation systems. While the actual impact of these claimed attacks remains uncertain, the targeting of ICS represents an escalation in claimed capability.

GhostSpy RAT Distribution (2024): The group released GhostSpy, a remote access trojan, as a tool for both supporters and as a demonstration of technical capability, further blurring the line between hacktivism and criminal malware distribution.

Tactics, Techniques & Procedures

GhostSec employs a range of techniques across its different operational phases. DDoS attacks (T1498, T1499) remain the most common operation, targeting web properties of organizations in politically targeted sectors. Web application exploitation (T1190) and SQL injection are used for data theft and defacement.

In its more recent criminal phase, GhostSec has moved toward destructive operations using GhostLocker ransomware (T1486) and distributing GhostSpy RAT for persistent access. The group uses social media and Telegram for coordination, claims dissemination, and tool distribution.

The group's technical sophistication varies significantly by operation. Early ISIS-disruption work was primarily coordinating reporting rather than offensive hacking. More recent operations demonstrate capability to exploit web vulnerabilities and package functional malware, though significant portions of claimed operations remain unverified.

Tools & Malware

• GhostLocker: PHP-based ransomware-as-a-service tool released in 2023, used to encrypt files on targeted servers and demand ransom payments.
• GhostSpy RAT: Remote access trojan distributed by GhostSec in 2024, providing persistent access capabilities to buyers and sympathizers.
• DDoS Tools: Standard hacktivist DDoS tools distributed through Telegram channels for coordinated attack operations.
• SQLMap: Open-source SQL injection tool used for web application exploitation and database exfiltration.
• Custom Web Exploitation Tools: Scripts and tools developed by GhostSec members for targeting specific web application platforms.

Indicators & Detection

GhostSec's targeting follows geopolitical events closely. Organizations in sectors with political salience during active conflicts — government agencies, media organizations, financial institutions, and critical infrastructure operators in conflict-adjacent countries — face elevated risk during periods of heightened tension.

Detection of GhostLocker ransomware infections should look for PHP-based encryptors on web servers, unusual file extension changes, and ransom notes consistent with GhostSec branding. Monitor for GhostSpy RAT indicators including C2 communication patterns to known GhostSec infrastructure.

Web application security controls — WAF deployment, SQL injection prevention, patching of publicly disclosed vulnerabilities — address the group's web exploitation techniques. DDoS protection infrastructure is necessary for government and critical infrastructure organizations that may be targeted during geopolitical operations. Monitor threat intelligence feeds for GhostSec operation announcements on their Telegram channels.