Since early December, 2018, I’ve been seeing a new type of Gh0stRAT-like malware being distributed over SMB. This sample has been dubbed Gh0stCringe by @James_InThe_Box on twitter. While the network communications of this new malware is very similar to that of Gh0stRAT, there are some key differences: Instead of the use of Zlib compression on the data, the sample typically uses an encryption algorithm consisting of Xor and Add, or Xor and subtract. Additionally, the sample uses much less commands than Gh0stRAT and seems to serve as more of a stage 1. Features include: