RST TI Report Digest: 17 Nov 2025

**Executive Summary:** In 2025 Unit42 describes two large-scale impersonation campaigns (Trio and Chorus) targeting Chinese-speaking users by creating thousands of spoofed domains and delivering variants of the Gh0st RAT via MSI-based installers, intermediary domains and public cloud storage; the attackers used embedded VBScript and DLL side-loading to evade detection and the report provides numerous IOCs (IPs, domains, URLs, SHA-256 hashes).