3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
GhostSec

GhostSec

ID: 516f80b61a76ee1222784da8601860db72774
Hacktivist Group Collective DDoS Crew Hacktivism
Threat types: Defacement, Data Leak, Ransomware, ICS Compromise, Intrusion
Russia
Updated: 2026-04-09
Created: 2025-10-18
Progress: 74% Completeness: 67% Freshness: 90%
Operation zone:
Aliases Limited alias preview
GH0ST S3CURITY GH0ST_S3CURITY Gh************ Gh************
Gh****************** Gh******* Gh*********** Gh*********
Gh*********** GS******
Showing 2 of 10 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

GhostSec (Ghost Security) — Anonymous-adjacent hacktivist brand (anti-ISIS origins) that monetized via paid channels and a RaaS product (GhostLocker) through 2023–early 2024, then publicly announced a return to hacktivism in May 2024 and handed GhostLocker to Stormous.


Technique Technique name Tactics Evidence
T1585 Establish Accounts TA0042
  • 2022-09-04 — Telegraph post 'GhostSec's Exclusive Offer For YOU!' advertising GS Premium, services, and an affiliate program; references @GhostSec420. · ref
  • 2024-01-26 — Vendors document Telegram channels, panels, and affiliate mechanics around GhostLocker. · ref
T1486 Data Encrypted for Impact TA0040
  • 2023-11-08 — Rapid7 describes GhostLocker encryptor and RaaS offering tied to GhostSec. · ref
  • 2024-01-26 — SentinelOne details GhostLocker features (compiled Python payloads, .ghost extension, ransom notes). · ref
T1657 Financial Theft TA0040
  • 2023-11-08 — RaaS economics: affiliate/referral model and pricing for GhostLocker. · ref
  • 2024-01-26 — GhostLocker membership pricing ($999–$1,200) and referral discounts for affiliates. · ref
T1491.002 External Defacement TA0040
  • 2015–2022 — Early GhostSec campaigns emphasized propaganda/defacement against ISIS-aligned infrastructure. · ref
T1498 Network Denial of Service TA0040
  • 2015–2024 — Hacktivist 'ops' frequently paired with claimed DDoS for optics (pattern across ecosystem reporting). · ref
T1589 Gather Victim Identity Information TA0043
  • 2015–2024 — OSINT collection and publicity components typical of GhostSec operations. · ref
T1585.003 Cloud Accounts TA0042
  • 2024-05-15 — GhostSec Services channel (Telegram) cited in reporting around the exit announcement and channel shutdown/changes. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-23T03:57:34+00:00
GhostSec (Ghost Security) — Hacktivism ↔ Cybercrime Pivot, Then “Return” to Activism

CLASSIFICATION: Unclassified / Open Source


Executive Summary

GhostSec (Ghost Security) began as an Anonymous-adjacent vigilante effort against ISIS propaganda channels (2015), then evolved through 2022–2024 into a brand that mixed hacktivist operations with revenue-seeking offerings (paid “premium” access, services, RaaS “GhostLocker”). In mid-May 2024, GhostSec publicly announced it was exiting the cybercrime/ransomware scene, transferring GhostLocker to the Stormous crew, and “returning to hacktivism.” Multiple independent vendors and media documented the RaaS phase (pricing, features, affiliate/referral model) and the later announcement of the handoff/exit. The group’s narrative remains fluid; capabilities observed range from typical hacktivist defacement/DDoS claims to commodity ransomware and opportunistic ICS/OT “proofs,” with most impactful tradecraft aligning to financially motivated operations in 2023–early 2024. Confidence: high on the chronology (2015–2024); medium on current 2025 posture.


  • Origins: Anonymous-adjacent, anti-ISIS vigilante brand; later split/variants (Ghost Security Group vs. GhostSec proper) in 2015.
  • Revenue phase (2022–2024): Public “GS Premium” paywall and affiliate program via Telegraph post (09-04-2022), advertising private leaks, consulting, “0-days,” and site/network takedowns.
  • RaaS phase (2023–2024): GhostLocker marketed on Telegram with entry fees, referrals, and affiliate perks; multiple vendors produced technical analyses.
  • Exit declaration (2024-05-15): GhostSec said it would retire from cybercrime/ransomware, hand GhostLocker v3 to Stormous, and refocus on hacktivism; third-party investigations referenced the statement. INFERENCE: GhostLocker operations likely continued under Stormous management.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/19
Address Verification SOCMINT
x.com/GH0*********** Restricted Not integrated
x.com/gho*********** Restricted Not integrated
twitter.com/Gho***** Restricted Not integrated
twitter.com/_Gh******* Restricted Not integrated
Address Verification SOCMINT
t.me/Gho******** Restricted Not integrated
t.me/Gho****** Restricted Not integrated
t.me/Gho****** Restricted Not integrated
t.me/+be************** Restricted Not integrated
t.me/Gho******* Restricted Not integrated
twitter.com/gho*********** Restricted Not integrated
twitter.com/GS_***** Restricted Not integrated
t.me/Gho****** Restricted Not integrated
t.me/Gho***************** Restricted Not integrated
Address Verification SOCMINT
gh******@ghostsec.com Restricted Not integrated
gh*********@protonmail.ch Restricted Not integrated
Address Verification SOCMINT
telegra.ph/Gho************************************ Restricted Not integrated
ghostsec.writeas.com Restricted Not integrated
Address Verification SOCMINT
github.com/Gho********** Restricted Not integrated
github.com/gho******** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
https://telegra.ph/GhostSecs-Exclusive-Offer-For-YOU-09-04 Free Preview
https://telegra.ph/GhostSecs-Exclusive-Offer-For-YOU-09-04
Propaganda Free Preview
Propaganda