September 26, 2023

Researchers have found a RAT infecting Microsoft SQL and MySQL, dubbed as Gh0stCringe RAT also known as CirenegRAT, is a malware variant based on the code of Gh0st RAT.

Gh0stCringe RAT is a RAT malware that connects to a C&C server and performs various malicious actions after receiving commands from the attacker. The attacker can designate various settings to Gh0stCringe just like other RAT malware. One of those options the Gh0stCringe RAT provides is a keylogger. Keylogging enables the threat actor to steal login credentials and other sensitive information.


The threat actors behind Gh0stCringe are targeting poorly secured database servers with weak account credentials and no oversight. On the infected servers they found evidence of previous infection by miners  usually distributed through brute force attacks.

Security of SQL Server environments is considered to be among database administrators’ prime responsibilities. It is up to each database administrator to configure security features, or use additional security measures as needed, to address the security and compliance requirements of their data and applications.


The problem is that there are a few very different security issues to be considered when it comes to an internet-facing SQL server. Administrators have to implement security to protect their system(s) against SQL database vulnerabilities, SQL injection attacks, and brute-forcing SQL credentials on top of every other security measure that applies to such servers.

Some signs that could give away the presence of the Gh0stCringe RAT. The method of keylogging it uses is know to cause high CPU-usage.



  • mcsql.exe

C&C servers:



  • bd8611002e01d4f9911e85624d431eb0
  • 9adc9644a1956dee23c63221951dd192
  • 782cbc8660ff9e94e584adfcbc4cb961

Leave a Reply

%d bloggers like this: