HOMETHREATSGHOSTBLADE
APT / THREAT GROUP

GHOSTBLADE

2
aliases
Last seen:Mar 26, 2026

Intelligence Profile

According to Google, GHOSTBLADE is delivered via the DarkSword exploit chain. GHOSTBLADE is a dataminer written in JavaScript that collects and exfiltrates a wide variety of data from a compromised device. Data collected by GHOSTBLADE is exfiltrated to an attacker-controlled server over HTTP(S). Unlike GHOSTKNIFE and GHOSTSABER, GHOSTBLADE is less capable and does not support any additional modules or backdoor-like functionality; it also does not operate continuously. However, similar to GHOSTKNIFE, GHOSTBLADE also contains code to delete crash reports, but targets a different directory where they may be stored.

Threat Analysis

GHOSTBLADE is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning GHOSTBLADE

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

js.ghostbladeGHOSTBLADE

External Intelligence

Malpedia: js.ghostblade

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.