ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > GhostEmperor

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: GhostEmperor

NamesGhostEmperor (Kaspersky)
CountryChina China
MotivationInformation theft and espionage
First seen2020
Description(Kaspersky) GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.
ObservedSectors: Government, Telecommunications.
Countries: Southeast Asia.
Tools used
Information<https://usa.kaspersky.com/about/press-releases/2021_ghostemperor-apt-targets-high-profile-victims-using-unknown-rootkit>
<https://securelist.com/apt-trends-report-q2-2021/103517/>

Last change to this card: 09 August 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key