| Names | Salt Typhoon (Microsoft)
GhostEmperor (Kaspersky)
UNC2286 (Mandiant)
FamousSparrow (ESET)
Earth Estries (Trend Micro) |
| Country |  China |
| Sponsor | State-sponsored |
| Motivation | Information theft and espionage |
| First seen | 2020 |
| Description | (Kaspersky) GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020. |
| Observed | Sectors: Chemical, Engineering, Government, Hospitality, Technology, Telecommunications, Transportation, NGOs and law firms.
Countries: Afghanistan, Brazil, Burkina Faso, Canada, Egypt, Ethiopia, France, Germany, Guatemala, India, Indonesia, Israel, Lithuania, Malaysia, Pakistan, Philippines, Saudi Arabia, Singapore, South Africa, Swaziland, Taiwan, Thailand, Vietnam. |
| Tools used | certutil, Cobalt Strike, Crowdoor, Cryptmerlin, Deed RAT, Demodex, FuxosDoor, GHOSTSPIDER, HemiGate, MASOL RAT, Mimikatz, nbtscan, NinjaCopy, PsExec, PsList, ProcDump, SparrowDoor, TrillClient, WinRAR, Zingdoor. |
| Operations performed | 2020 | Earth Estries Targets Government, Tech for Cyberespionage
<https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html> |
| Mar 2021 | FamousSparrow: A suspicious hotel guest
<https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/> |
| Late 2023 | The Return of Ghost Emperor’s Demodex
<https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/> |
| Jul 2024 | Chinese Hackers Infiltrate U.S. Internet Providers in Cyber Espionage Campaign
<https://thehackernews.com/2024/09/chinese-hackers-infiltrate-us-internet.html> |
| Sep 2024 | AT&T, Verizon reportedly hacked to target US govt wiretapping platform
<https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/> |
| Sep 2024 | T-Mobile confirms it was hacked in recent wave of telecom breaches
<ttps://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/>
<https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/> |
| Dec 2024 | White House links ninth telecom breach to Chinese hackers
<https://www.bleepingcomputer.com/news/security/white-house-links-ninth-telecom-breach-to-chinese-hackers/> |
| Information | <https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/>
<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf>
<https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html>
<https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3c1b400>
<https://www.politico.com/news/2024/11/06/chinese-hackers-american-cell-phones-00187873>
<https://therecord.media/us-agencies-confirm-china-telecom-hack-wiretaps>
<https://www.trendmicro.com/en_us/research/24/k/earth-estries.html>
<https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure>
<https://therecord.media/eight-telcos-breached-salt-typhoon-nsc>
<https://therecord.media/salt-typhoon-csrb-review> |
APT group: Salt Typhoon, GhostEmperor
