A sophisticated malware campaign is distributing both Gh0st Remote Access Trojan and CloverPlus adware simultaneously through obfuscated loaders. The loader drops encrypted payloads from its resource section, with one being adware and another a Gh0st RAT DLL module executed via rundll32.exe. The RAT employs multiple persistence mechanisms including registry run keys, Windows services, and Remote Access service manipulation. It features capabilities for token manipulation, DNS hijacking, keylogging targeting RDP sessions, system reconnaissance, and dead drop resolver techniques for C2 communication. The malware specifically targets security tools by blocking antivirus domains through DNS spoofing and hosts file modification. This dual-payload approach provides attackers with long-term system access while generating immediate profit through adware monetization.