GhostEmperor

GhostEmperor is an advanced attacker originally identified by researchers from Kaspersky in 2021. The group has been observed using advanced malware such as a Windows kernel mode rootkit (Demodex) and sophisticated multi-stage framework for remote access.

GhostEmperor has been observed targeting government and telecommunications entities in South East Asia and beyond.

Kaspersky attribute the group as a Chinese-speaking threat actor.

www.sygnia.co

https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/

media.kasperskycontenthub.com

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf

www.trendmicro.com

https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

learn.microsoft.com

https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming

securelist.com

https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/