Authors: Audra Campbell and Oscar Presnall
DarkTower identified and investigated the “Ghost Hacker’s Operating System” Telegram channel, operated by user @ghosthackerOS (ID: 848925336), who claims to be the creator of “the world’s most advanced spamming operating system” known as Ghost Hacker OS. Through Telegram-based collection and analysis of a tutorial video uploaded on 26MAR2026, DarkTower observed the threat actor demonstrate what was described as a “new Zero Day Exploit on M365.”
The demonstrated attack chain began with custom phishing pages designed to capture Microsoft 365 credentials. Following credential theft, the tooling created a localized clone of the victim’s Outlook inbox, allowing operators to search emails for high-value intelligence, view attachments, reply to emails, and modify mailbox rules.
DarkTower also observed the actor using the “Ghost Hub Panel” to log into Cloudflare, generate temporary phishing domains, and manage harvested credentials through the “App Credential Accounts” tab. The video further showed how a compromised administrator account could be leveraged to register an API application capable of accessing additional mailboxes across the organization through inherited permissions. Once API access was established, the actor no longer appeared to require the original administrator credentials to continue pulling emails from affected accounts.
Based on the observed activity, the threat actor appears to achieve lateral movement primarily through abuse of administrator privileges and API access rather than traditional malware deployment techniques.
Ghost Hacker’s Operating System Telegram Channel
The “Ghost Hacker’s Operating System” Telegram channel is run by user @ghosthackerOS (ID: 848925336). @ghosthackerOS claims to be the “Creator of the world’s most advanced spamming operating system.”
The coordinates listed as this user’s location direct to a point north of Alaska in the middle of the Arctic Ocean.1
The Ghost Hub Panel allows “direct code, direct login, direct token, full analytics & dashboards, mailbox interface, templates, ZeroBot integration, etc.” ZeroBot is described as an “anti-bot and traffic protection platform” that does “real-time IP classification, device fingerprinting, and threat scoring so only real humans get through.” This same service also offers cloaked redirect links2. This service assists @ghosthackerOS’s customers that have purchased his Thanatos Cookie Link Service with blocking bots, scanners, and security crawlers along with reducing page flags, thus allowing links to survive longer. Cookie capture is built into the panel. The “all‑in‑one panel for serious operators, not a small single‑purpose tool.”
Figure 3: hxxps://t[.]me/ghostisoperating/145
On 21APR2026, @ghosthackerOS updated the Ghost Hacker’s Operating System channel on available tools for sale and updates to the Ghost Hacker OS.
@GhosthackerOsbot
The Telegram shop bot @GhosthackerOsbot shows tools available for sale:
Ghost Hacker OS v4.0
Ghost Hub Panel
Thanatos Cookie Link System
Screen Connect Clean Panels
Crypto Wallet Drainer
Email MX Sorter
$2,500 for lifetime access
$1,250 for lifetime access
$350 per month
$800 for 2 Months
$1,200 per month
$250 for lifetime access
@ghosthackerOS uploaded a tutorial video on 26MAR2026 showcasing features of his Ghost Hacker OS3. The startup sequence of the installer loads a large number of Python libraries, suggests next steps, and then starts the Ghost Hacker Sender, asking for a password to ensure the user has an active license.
@ghosthackerOS uses VS Code, but states that any code editor will work with his product.
The Ghost Hacker OS command center “Built to Bypass Any Email Provider By Any Means Necessary” is seen in Figure 21.
Feature 1 – “Lunch Ghost Hacker OS Mailer”
The video shows the hacker changing his config.json file to set “use_inbuilt_proxy_sender” to “true.” @ghosthackerOS then edits recipients.txt to include his target email address, in this case ahmed[@]meservices[.]ae. Then he edits spoofed_emails.txt to enter his sending email address: yawrol[@]shaw[.]ca.
@ghosthackerOS edits the config.json file again and chooses a template from the lefthand menu. Template names include but are not limited to: Bank, DHL, Docusign, Dropbox, FedEx, Google Calendar, Google Drive, Google Password, Google Security.
The threat actor edits a few variables in the Docusign template, such as the line:
[FIRST NAME] has sent you a document …
He edits sender_names.txt and subjects.txt to further configure email sending. Although the example uses only one name, both files can intake lists to allow rotating values in a batch spam run.
This initial spam run fails because port 25 is not open and blocks the proxy. @ghosthackerOS opens the README.md file to determine how to reconfigure his send. He fixes the problem by adding a port 465 SMTP entry for his outbound emails, logging in to an AWS gateway using a Zimbabwe-based email address and password.
Feature 3 – Ghost Hacker OS Email Sorter
He pastes 78,000+ email addresses into recipients>newleads.txt, then chooses a subset of 2,786 email and names that file test.txt.
The Email Sorter determines the type of mail host for each address.
After a satisfactory test spam email, the creator accesses the O365 box of “Ahmed Abbas” (ahmed[@]meservices[.]ae) and uses the tooling to extract the contacts from Ahmed’s O365 account.
Feature 2 – Ghost Hacker OS AI Agent
Next, @ghosthackerOS demonstrates capabilities of his “Ghost Hacker OS AI Agent” that can be launched in a GUI Windows, Terminal Mode, or Telegram Bot Mode. He claims this agent is “jailbroken” and will bypass all restrictions as it is specifically created for the Ghost Hacker OS.
Figures 28-32 show the threat actor’s interactions with the AI Agent.
After making the template, the AI suggests 5 subject lines and 5 senders:
If a specific template has already been created, the AI will suggest similar templates; in this case instead of an Adobe – Account Verification Required template, the AI recommends the template variants Adobe – Creative Cloud License Expiration and Adobe – Document Signature Required.
@ghosthackerOS then requests all templates to be saved to his directory.
Previewing the template the AI generates first shows the inbox summary (Figure 33), then the body of the email (Figure 34), and lastly generates a “Spam Score Report” (Figure 35).
Previewing the template the AI generates first shows the inbox summary (Figure 33), then the body of the email (Figure 34), and lastly generates a “Spam Score Report” (Figure 35).
Feature 4 – Email Extractor Tool
The email extractor tool is not shown in working condition.
Menu options indicate the user can extract data from config SMTP emails, Office 365 emails, credit cards, and open redirects.
Feature 5 – Ghost Hacker OS Box2Box
After once again verifying the user’s license, @ghosthackerOS configures settings for this auto-reply and conversation spam tool.
The OS prompts users to install the Chrome Extension “Ghost Hacker OS OAuth Capture,” enable developer mode, and load the extension.
After the previous steps are completed, a Microsoft Office email login URL is provided where the user logs into the target email (ahmed[@]meservices[.]ae) and captures the OAuth code.
The OS captures email data and can choose to download any data from the email: contacts, emails, rules, etc. Figure 43 shows extracted contacts from ahmed[@]meservices[.]ae that are then saved into the file boxextactahm.txt.
Feature 6 – From Mail Scanner/Finder Tool
The Mail Scanner tool verifies and filters working emails.
Feature 7 – Ghost Hub Panel Advanced
In a message from 24MAR2026, “Ghost” (@ghosthackerOS) introduces himself as an exploit dev / full-stack development, bug hunting, uncovers vulnerabilities, passion for uncovering secrets. Created Ghost Hacker’s OS with all this in mind: “A single, unified platform built with precision, security, and total control – everything a serious Red Team Hacker needs in one powerful system.” He then states he will post a video to showcase the operating system and a “new Zero Day Exploit on M365.”4
The initial entry point is obtained through high-level custom phishing pages. The tools create a local clone of the Outlook inbox, then search that mail for high-value target intelligence. This local clone of the inbox allows the Ghost Hacker OS user to view attachments, reply to mail, change mailing rules, etc.
The Ghost Hub Panel contains the tabs: Landing Pages, Cloudflare, Box-to-Box, Attachment Builder, Redirect Builder, Persistent Access, App Accounts, Keyword Listener, Analysis, Log Manager, and Setup Guide.
After logging into Cloudflare through the Ghost Hub Panel – later used to create temporary domains – customers can create their own phishing pages.
Landing Page customization contains 25 captcha options and 45 website templates.
The 45 templates choices include:
Adobe Acrobat Sign
Microsoft 365
OneDrive Sharing
Outlook Security Allert
Microsoft Teams Meeting
Corporate Secure Portal
SharePoint Document Review
Dropbox Business
Docusign Signature
Secure Access Gateway
Organization Sign-In
Cloud Identity
Work Account
SSO Portal
Identity Verification
Azure AD Identity
Box Content Cloud
Notion Shared Page
Slack Enterprise Grid
Salesforce Customer 360
ServiceNow ITSM Portal
Workday HCM
Zoom Video SSO
Cisco Webex Meeting
Okta Identity
Docusign Envelope v2
OneDrive File Preview
Mailchimp Campaign
HubSpot CRM PortalSendGrid Delivery Report
OneDrive Dark Share
OneDrive Blue Share
Adobe Acrobat Sign v2
OneDrive Shared Document
SharePoint File Share
Email Quarantine
Teams Channel Message
Teams File Sharing
Teams Webinar
Teams Approval Workflow
Teams Whiteboard
Teams Calendar
Teams Chat
Teams Admin Center
Teams Classroom
Once a template is customized, Ngrok will be used for a free public domain and to avoid hosting the site directly and exposing their network/IP address. Cloudflare is then used to create new temporary domains which point to the Ngrok domain to host the page anonymously and to be able to change the domain easily if it gets flagged. Ngrok supports OAuth, OpenID, SAML, and Basic Authentication.
The Offline Attachment Builder offers 12 options for redirect pages. The 12 options include:
- Microsoft Document: “Opening document…”
- OneDrive: “Loading your file from OneDrive cloud storage…”
- SharePoint Online document loading screen
- Adobe Acrobat PDF reader loading screen
- Google Docs style document loading
- Voicemail audio player notification loading
- Encrypted secure document viewer
- Docusign document review and signature loading
- Dropbox file preview viewer loading
- WeTransfer file download loading screen
- Microsoft Teams meeting invite loading
- Microsoft Excel spreadsheet preview loading
After selecting a template, users can input a “Target URL,” which will redirect users of this “offline attachment” to the desired phishing page. In the example provided, Figure 48 is generated as an html file based on the #4 template option. Once a victim clicks the “Continue” button, they are redirected to the credential harvesting site, seen in Figure 49.
The following Figure shows an Adobe Acrobat Sign v2 phish template in which the victim will be requested to verify his/her identity through Microsoft, leading to the pop up seen on the left of Figure 49. This pop-up is where credentials are harvested.
Once an account is captured, the data is displayed on Ghost Hub Panel.
The Redirect Builder is used to create links that use the official login.microsoftonline[.]com URL but redirect to the phishing site by using the refresh tokens to captured accounts, which makes it easier to trick victims into clicking the link since it looks exactly like Microsoft.
The Persistent Access Manager observes all collected account credentials and determines if privilege escalation is available. The “exploit” comes into play here when the account they’ve captured has administrator permissions within their organization. Essentially, users register an application with Microsoft’s API using the captured token under the organization’s name which pretends to be something like a third-part email client. @ghosthackerOS claims that this exploit works on both administrator and normal accounts.
This tool “deploys a silent background service connector for seamless, always-on mailbox access – no credentials needed after setup” that survives password changes, MFA, and lockouts.
After selecting “Create App Registration,” the harvested email’s entire company directory is scraped, paving the way for total email access across the targeted company.
The Outlook Clone tool creates a local clone of the captured Outlook. Using any of the email addresses scraped from the previous step, the tool will be “auto-filled from persistent access” following pasting the desired email address.
After launching the clone, the user has complete access to the targeted inbox. The demonstration video shows the threat actor viewing emails, attachments, and company settings.
All company credentials are now harvested and available in the Ghost Hub Panel’s “App Credential Accounts” tab. These were all collected from one initial captured email. Since the account captured had administrator privileges, it can access the mailboxes of other emails in the organization. They use these privileges and the registered API application to get access to the emails of any account that the admin has privileges to access. Once they’ve established the API application with the admin account, the API access this provides allows them to pull emails from accounts in the organization, no longer requiring the credentials of the admin user.
The threat actor seems to be achieving lateral movement by obtaining access to an admin account and then using that account’s privileges to set up an API endpoint that can access all the accounts under them. Despite claims that the exploit works on admin and regular email accounts, that was not shown in the demonstration video.
