How to remove GHOSTFORM from infected devices

What is GHOSTFORM?

GHOSTFORM is a .NET-based remote access trojan (RAT) that combines multiple attack capabilities into a single binary and executes PowerShell scripts directly in memory. It uses evasion techniques such as invisible Windows forms and delayed execution timers to help avoid detection. If detected, GHOSTFORM should be eliminated immediately.

More about the campaign

There are two chains used in the GHOSTFORM attacks. The first chain starts with a password-protected RAR file that contains a fake WinRAR application. When opened, it runs a dropper called SPLITDROP, which installs two additional malware components: TWINTASK and TWINTALK.

When launched, SPLITDROP asks the victim for a password to extract a hidden archive. If the archive already exists, it stops. If not, it decrypts an embedded file in the background while showing a fake error message. The decrypted files are saved to "C:\ProgramData\PolGuid", and a legitimate "VLC.exe" is then run to continue the attack.

When "VLC.exe" runs, it loads a malicious DLL file (TWINTASK). This component waits for commands and runs them using PowerShell. Certain commands are used to establish persistence on the device and initiate the next stage of the attack chain. This also involves a script that runs "WingetUI.exe" and creates registry entries so that "VLC.exe" and "WingetUI.exe" start automatically at system restart.

When "WingetUI.exe runs", it loads a malicious file called TWINTALK. This file connects to the attacker's server to receive commands and, together with TWINTASK, executes them on the infected system. TWINTALK supports three main command types: command execution, file download, and file upload.

GHOSTFORM

The second attack chain uses GHOSTFORM that performs all the functions of the first attack chain. It runs PowerShell commands directly in memory and does not use multiple files or DLL sideloading. The malware also uses an invisible Windows form to delay execution and a Google Form as a social engineering lure.

GHOSTFORM also delays its activity to avoid detection. It creates an almost invisible Windows form that runs a timer with a random delay before continuing execution. The malware also creates a mutex so only one copy runs at a time and generates a unique bot ID. Typically, RATs like GHOSTFORM are used to deploy additional payloads, steal information (including files), or engage in other malicious activities.

ClickFix

It is known that the campaign uses not only TWINTALK, TWINTASK, and GHOSTFORM, but also social engineering technique known as ClickFix to compromise devices. Fake web pages, such as a spoofed Cisco Webex invitation, are used to trick users into running commands that download and execute malware automatically.

Conclusion

The campaign combines malware and social engineering to infect devices. It uses tools like TWINTASK, TWINTALK, and GHOSTFORM to execute commands and maintain persistence. ClickFix-style social engineering, such as fake Google Forms and spoofed web pages, tricks users into running malware through malicious instructions.

How did GHOSTFORM infiltrate my computer?

Cybercriminals deliver a malicious file disguised as a harmless WinRAR‑style program. When a user opens it, this file injects hidden malware components into the system. One component runs in the background, regularly checks for encrypted commands from the attacker's server, and executes them using PowerShell.

In other attacks (ClickFix-style attacks), threat actors use social engineering techniques (like fake surveys or bogus meeting invitations) to trick users into running commands that download and execute malware.

How to avoid installation of malware?

Be careful with emails or messages you were not expecting, especially if they contain links or attachments - avoid opening anything that seems suspicious. Refrain from clicking on ads, pop-ups, or links on untrustworthy websites, and do not allow these sites to send notifications.

Always keep your operating system and apps up to date. Use trusted security software to scan your system regularly, download programs only from official sites or reputable app stores, and avoid pirated software, cracks, or unauthorized activation tools.

If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

ClickFix attack used in the malicious campaign (source: zscaler.com):

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is GHOSTFORM?
• STEP 1. Manual removal of GHOSTFORM malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My device is infected with GHOSTFORM RAT malware, should I format my storage device to get rid of it?

While formatting the device will get rid of GHOSTFORM, it also erases all files, so it should only be used if other methods fail. A full scan with security software such as Combo Cleaner is recommended first.

What are the biggest issues that malware can cause?

Malware can be capable of giving attackers remote access, stealing personal data, corrupting or deleting files, downloading and executing other harmful programs, reducing overall system performance (and causing crashes), and more.

What is the purpose of a RAT?

A RAT (Remote Access Trojan) allows cybercriminals to control a victim's device remotely, steal data, inject other malware, execute commands without the user's knowledge, and perform other malicious actions.

How did GHOSTFORM RAT malware infiltrate my device?

In this campaign, threat actors distribute malware via a password‑protected archive and use social engineering lures (like fake forms and fake meeting invitations) to convince victims to run commands (via ClickFix-style technique) that then execute the malware.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove most known malware. Because some advanced threats may hide deep within the system, it is best to perform a full system scan to make sure all malicious components are identified and removed.