IOC Radar
TLP:WHITE2 IOCs

WAF Defense in Crisis? NSFOCUS Locks Down “Ghost Bits” Attacks in Advance

NS
NSFOCUS Security Labs
Published April 30, 2026Original Report

Malware Families

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYunknownINFRASTRUCTUREunknownCAPABILITYGh0st RATVICTIMunknown
Adversary
Infrastructure
Capability(1)
Victim

Attack Flow4 steps · MITRE ATT&CK mapped

Defense EvasionTA0005·T1027
1/4
Obfuscated Files or Information
ActionObfuscate attack payload characters
Attackers craft Unicode characters whose lower 8 bits match critical ASCII characters in attack payloads, making them appear harmless to WAFs.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise2

TypeIndicatorConfidenceScoreFirst Seen
CVECVE-2024-36401
exploitintel-blogmalware
Medium
51
Jun 2, 26
CVECVE-2022-22965
exploitintel-blogmalware
Medium
51
Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph2 total IOCs
CVE
CVE2Malware1REPORTWAF Defense in Crisis? NSFGh0st RAT
scroll to zoom · drag to pan · click IOC to open