Home/Threat Actor/GhostEmperor
Threat Actor

GhostEmperor

ghostemperor · china · active since 2019

GhostEmperor (canonical Kaspersky GReAT naming per September 2021 disclosure by Mark Lechtik + Aseel Kayal + Paul Rascagneres + Vasily Berdnikov as part of Kaspersky's APT 2021 Q2 Report) is a China-aligned state-sponsored cyber-espionage cluster active publicly since at least 2019 with signature operational mission objectives of intelligence collection from Southeast Asian governmental entities and telecommunications providers.

China attribution operates at strong-indicator level (Chinese-speaking operator profile per Kaspersky.

target selection consistent with PRC regional strategic interests across Southeast Asia + Middle East + Africa with Belt and Road Initiative geopolitical interests adjacent.

operational sophistication consistent with state-sponsored offensive cyber capability investment)

signature operational tradecraft is the Demodex Windows kernel-mode rootkit (operationally one of the most sophisticated kernel-level offensive cyber capabilities documented for any China-attributed cluster in publicly-tracked industry analysis) which acts covertly to hide malware artifacts (files + registry keys + network traffic) from forensic experts and prevention systems and is adapted to work on current Windows 10 operating systems; signature Cheat Engine open-source video-game-cheating tool repurposed as a component of the Driver Signature Enforcement (DSE) bypass loading scheme, operationally distinctive creative repurposing of legitimate open-source tools for offensive purposes, enabling kernel-mode execution while evading code-signing enforcement via manipulation of memory through Cheat Engine.

third-party signed and benign driver loading scheme enabling kernel- mode execution via documented driver features.

Microsoft Exchange vulnerability exploitation as signature initial access pattern Q2 2021 era operationally consistent with ProxyLogon era China-attributed cluster ecosystem (silk_typhoon / Hafnium adjacent, curated separately as silk_typhoon.yaml)

targets include multiple high-profile entities in Malaysia + Thailand + Vietnam + Indonesia primary plus additional victims of similar nature in Egypt + Ethiopia + Afghanistan with strong ties to Southeast Asia.

2024 Sygnia re-emergence disclosure documented first confirmed activity since 2021 with updated Demodex variant + more sophisticated infection chain + reflective loader in-memory execution + EDR evasion + sandbox-analysis impediment.

2022-2023 operational expansion to Middle East government / defense / foreign affairs ministry targeting + Africa Belt and Road Initiative-aligned infrastructure project targeting per Brandefense analysis.

multistage malware for stealth and persistence.

comprehensive EDR endpoint detection response evasion via Demodex kernel-mode access.

sandbox-analysis impediment + forensic-investigation evasion as signature tradecraft.

sustained operational tempo through 2026.

fills China-aligned kernel-rootkit specialist cell in the curated corpus as 34th China- attributed cluster, operationally distinct from existing 33 China-attributed clusters through signature kernel-mode rootkit capability.

china confidence: high 5 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited7

Profile

GhostEmperor (canonical Kaspersky GReAT naming per September 2021 disclosure) is a China-aligned state- sponsored cyber-espionage cluster active publicly since at least 2019 with signature operational mission objectives of intelligence collection from Southeast Asian government entities and telecommunications providers via signature Demodex Windows kernel-mode rootkit capability. China attribution operates at strong-indicator level per Kaspersky GReAT canonical 2021 disclosure with no formal PRC government attribution, but operational evidence supports China-aligned attribution at high confidence: Chinese-speaking operator profile per Kaspersky.

target selection consistent with PRC regional strategic interests across Southeast Asia + Middle East + Africa (Belt and Road Initiative geopolitical interests adjacent)

operational sophistication consistent with state-sponsored offensive cyber capability investment.

signature Demodex Windows kernel-mode rootkit operationally one of the most sophisticated kernel-level capabilities documented for any China-attributed cluster in publicly-tracked industry analysis. Operational phases: (1) OPERATIONAL EMERGENCE (2019). Initial Southeast Asian government espionage-focused intrusions establishing cluster operational pattern. (2) TELECOM + DIPLOMATIC EXPANSION (2020). Targeting expansion to telecom providers and diplomatic organizations with stealth malware for long-term access. (3) KASPERSKY GREAT CANONICAL DISCLOSURE (September 2021). Per Kaspersky APT 2021 Q2 Report: signature Demodex Windows kernel-mode rootkit + Microsoft Exchange vulnerability exploitation tradecraft documented. Targets include Malaysia, Thailand, Vietnam, Indonesia primary + Egypt, Ethiopia, Afghanistan secondary with SE Asia ties. (4) MIDDLE EAST EXPANSION (2022). Continued operations against Middle Eastern governments with defense and foreign affairs ministry targeting. (5) AFRICA BELT AND ROAD ERA (2023). Increased Africa activity targeting governments and infrastructure projects aligned with PRC Belt and Road Initiative. (6) SYGNIA RE-EMERGENCE DISCLOSURE (July 2024). First confirmed activity since 2021 documented by Sygnia. Updated Demodex variant + more sophisticated infection chain + EDR evasion + sandbox impediment + reflective loader in-memory execution. (7) CONTINUED OPERATIONS (2024-2026). Sustained operational tempo through 2026 with evolved Demodex rootkit variants.

Signature operational tradecraft
  • Demodex Windows kernel-mode rootkit (operationally distinctive, cluster-defining): Windows kernel-mode rootkit providing remote control access to compromised servers. Acts covertly to hide malware artifacts (files, registry keys, network traffic) from forensic experts and prevention systems. Adapted to work on current Windows 10 operating systems. Operationally one of the most sophisticated kernel-level offensive cyber capabilities documented in publicly-tracked industry analysis.
  • Cheat Engine open-source tool DSE bypass tradecraft (signature): GhostEmperor uses a loading scheme involving a component of Cheat Engine (open-source video-game-cheating tool) to manipulate memory and execute code, bypassing the Windows Driver Signature Enforcement (DSE) security feature that normally blocks unsigned drivers. Operationally distinctive creative repurposing of legitimate open-source tools for offensive purposes.
  • Third-party signed and benign driver loading scheme (signature): Demodex loads through documented features of a third-party signed and benign driver, operationally enabling kernel-mode execution while evading code-signing enforcement.
  • Microsoft Exchange vulnerability exploitation (signature Q2 2021 era): signature initial access pattern operationally consistent with broader Q2 2021 ProxyLogon-era China-attributed cluster ecosystem (silk_typhoon / Hafnium adjacent).
  • Multistage malware for stealth and persistence: signature deployment pattern leveraging rootkits and advanced tools to maintain foothold in compromised networks.
  • Reflective loader in-memory execution: signature stealth-deployment tradecraft for Demodex loading.
  • Comprehensive EDR endpoint detection response evasion: signature kernel-level EDR bypass capability via Demodex kernel-mode access.
  • Sandbox-analysis impediment + forensic-investigation evasion: signature tradecraft for evading post-compromise investigation. The cluster fills the China-aligned kernel-rootkit specialist cell in this curated corpus, 34th China- attributed cluster, operationally distinct from existing 33 China-attributed clusters through signature kernel-mode rootkit capability. Operationally significant for representing the most sophisticated kernel-level offensive cyber capabilities documented for any China-attributed cluster in publicly-tracked industry analysis.

Aliases

5
ghostemperorghost emperorghost_emperorghostemperor_aptghostemperor cluster

Notable Campaigns

9
2024-2026Continued Operations Through 2024-2026
2024Sygnia GhostEmperor Re-Emergence Disclosure (July 2024)
2023Africa Belt and Road Initiative-Aligned Targeting (2023)
2022Middle East Government + Defense + Foreign Affairs Targeting Expansion (2022)
2021Kaspersky GReAT Canonical Disclosure (September 2021)
2021Demodex Rootkit Driver Signature Enforcement (DSE) Bypass Tradecraft (Signature)
2021Microsoft Exchange Server Initial Access Era (Q2 2021)
2020Southeast Asia Telecom + Diplomatic Targeting Expansion (2020)
2019GhostEmperor Operational Emergence (2019)

Attribution & Reporting

Attributed by
Kaspersky GReAT (Mark Lechtik + Aseel Kayal + Paul Rascagneres + Vasily Berdnikov)Sygnia (2024 re-emergence disclosure)Microsoft Threat Intelligence CenterMandiant / Google Threat Intelligence GroupTrend MicroSingapore IMDA (Infocomm Media Development Authority, 2024 advisory)CrowdStrikeESETSymantec / Broadcom Threat Hunter TeamSOPHOS X-OpsSentinelOne / SentinelLabsRecorded FutureBrandefense
Key reporting
reportKaspersky GReAT (Mark Lechtik + Aseel Kayal + Paul Rascagneres + Vasily Berdnikov): GhostEmperor, From ProxyLogon to kernel mode (Securelist, September 30, 2021), canonical GhostEmperor disclosure
reportKaspersky APT 2021 Q2 Report: GhostEmperor detailed analysis
reportKaspersky Press Release: GhostEmperor, Chinese-speaking APT targets high-profile victims using unknown rootkit (September 2021)
reportSygnia: GhostEmperor Revisited (July 2024), canonical re-emergence disclosure with updated Demodex rootkit variant analysis
reportSingapore IMDA (Infocomm Media Development Authority): GhostEmperor returns with updated Demodex rootkit advisory (2024)
reportMicrosoft Threat Intelligence Center: GhostEmperor operational context tracking
reportMandiant / Google Threat Intelligence Group: GhostEmperor adjacent cluster tracking
reportTrend Micro (Vladimir Kropotov + Robert McArdle): GhostEmperor context analysis
reportCisco Talos: GhostEmperor operational context
reportESET / WeLiveSecurity: GhostEmperor Chinese-speaking APT analysis
reportRecorded Future: GhostEmperor China-aligned rootkit cluster tracking
reportCrowdStrike: GhostEmperor Asian government targeting profile
reportSOPHOS X-Ops: GhostEmperor operational profile
reportSentinelLabs: GhostEmperor kernel-rootkit analysis
reportBrandefense: GhostEmperor APT 2025 Profile
reportMITRE ATT&CK Group G1000, GhostEmperor
reportMalpedia Actor Profile: GhostEmperor

Operational

State sponsor

China-aligned state-sponsored cluster, China attribution operates at strong-indicator level per Kaspersky GReAT canonical 2021 disclosure plus Sygnia 2024 follow-up. Per Kaspersky GReAT: "GhostEmperor is a Chinese-speaking threat actor that has been discovered by Kaspersky researchers." No formal People's Republic of China government attribution has been issued by major cybersecurity industry analysts or governments, but operational evidence supports China- aligned attribution at high confidence: (a) Chinese-speaking operator profile: per Kaspersky GReAT canonical 2021 disclosure: "GhostEmperor is a Chinese- speaking threat actor." Operational tradecraft demonstrates Chinese-language operator capabilities consistent with PRC state-aligned cluster patterns. (b) Target selection consistent with PRC strategic interests: signature primary targeting of Southeast Asian governmental entities and telecommunications companies operationally consistent with PRC regional strategic interests.

Per Kaspersky 2021 disclosure: documented "multiple high-profile entities targeted in Malaysia, Thailand, Vietnam and Indonesia" plus additional victims of similar nature in Egypt, Ethiopia, and Afghanistan (which were noted to have "strong ties with countries in South East Asia"). The targeting pattern operationally consistent with PRC Belt and Road Initiative geopolitical interests across Southeast Asia + Middle East + Africa expansion era. (c) Operational sophistication consistent with state- sponsored capability: per Kaspersky 2021 disclosure: "The actor demonstrates a high level of sophistication and uses [Demodex kernel-mode rootkit]." Per DarkReading: "The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools." (d) Demodex Windows kernel-mode rootkit capability: operationally the most distinctive attribution signal, kernel-mode rootkit development for current Windows 10 operating systems requires significant offensive cyber capability investment, expert kernel-development engineering capability, and patient development time.

Per Kaspersky GReAT 2021 disclosure: "the attackers conducted the required level of research to make the Demodex rootkit fully functional on Windows 10, allowing it to load through documented features of a third-party signed and benign driver." The Demodex kernel-mode rootkit operationally places GhostEmperor among the most sophisticated kernel- level offensive cyber capabilities documented in publicly- tracked industry analysis. (e) Microsoft Exchange exploitation tradecraft: operationally consistent with broader China-attributed APT cluster ecosystem tradecraft circa 2021 (signature ProxyLogon era exploitation pattern shared with silk_typhoon / Hafnium and adjacent China-attributed clusters). Operational significance: per Kaspersky GReAT canonical 2021 disclosure: "GhostEmperor stands out because it uses a formerly unknown Windows kernel-mode rootkit." Per Brandefense 2025 analysis: "GhostEmperor represents one of the more sophisticated espionage threats in line with Chinese state goals due to their ability to achieve stealthy persistence at the kernel level." The cluster fills the China-aligned kernel-rootkit specialist cell in this curated corpus, operationally distinct from the 33 other China-attributed clusters through signature kernel-mode tradecraft.

Motivations
china_state_aligned_intelligence_collection, southeast_asian_government_intelligence_collection, southeast_asian_telecom_provider_intelligence_collection, prc_regional_strategic_interest_intelligence, belt_and_road_initiative_regional_intelligence, kernel_level_persistent_access_for_long_term_intelligence
Sectors
government_administrationforeign_affairs_ministriesdefense_ministriestelecommunications_providerscritical_infrastructuregovernment_diplomatic_entitiesinfrastructure_projects
Regions
malaysiathailandvietnamindonesiaegyptethiopiaafghanistansoutheast_asia_broadlymiddle_east_broadly_post_2022africa_broadly_post_2023

Techniques Used

60
T1003T1003.001T1005T1010T1012T1014T1016T1018T1020T1021T1021.001T1021.002T1021.006T1027T1027.001T1027.002T1027.005T1029T1033T1036T1036.001T1036.005T1039T1041T1048T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1068T1069T1070T1070.001T1070.004T1071T1071.001T1074T1074.001T1078T1080T1082T1083T1087T1090T1090.001T1090.002T1106T1119T1129T1133T1135T1140T1190T1203T1213

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)30/60 · 50%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MULTISTAGE MALWARE FOR STEALTH PERSISTENCESANDBOX ANALYSIS IMPEDIMENT

CVEs Exploited

7
CVECVE-2021-26855
CVECVE-2021-26857
CVECVE-2021-26858
CVECVE-2021-27065
CVECVE-2021-31207
CVECVE-2021-34473
CVECVE-2021-34523
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKMITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin