Names | GhostEmperor (Kaspersky) Salt Typhoon (Microsoft) | |
Country | China | |
Motivation | Information theft and espionage | |
First seen | 2020 | |
Description | (Kaspersky) GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020. | |
Observed | Sectors: Government, Telecommunications. Countries: Afghanistan, Egypt, Ethiopia, Indonesia, Malaysia, Thailand, Vietnam and Southeast Asia. | |
Tools used | certutil, Demodex, nbtscan, PsExec, PsList, ProcDump, WinRAR. | |
Operations performed | Late 2023 | The Return of Ghost Emperor’s Demodex <https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/> |
Jul 2024 | Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign <https://thehackernews.com/2024/09/chinese-hackers-infiltrate-us-internet.html> | |
Sep 2024 | AT&T, Verizon reportedly hacked to target US govt wiretapping platform <https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/> | |
Information | <https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/> <https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf> |
Last change to this card: 24 October 2024
Download this actor card in PDF or JSON format
Previous: Gelsemium
Next: GhostNet, Snooping Dragon
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |