| SYMBOL | COMMON_NAME | aka. SYNONYMS |
GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.
| 2024-09-26
⋅
The Wall Street Journal
⋅
China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack GhostEmperor |
| 2024-07-17
⋅
SYGNIA
⋅
The Return of Ghost Emperor’s Demodex GhostEmperor GhostEmperor |
| 2023-10-05
⋅
VirusBulletin
⋅
Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload EntryShell SparrowDoor Xiangoop |
| 2023-08-29
⋅
Mandiant
⋅
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) GhostEmperor |
| 2022-02-28
⋅
NCSC UK
⋅
Malware Analysis Report: SparrowDoor SparrowDoor GhostEmperor |
| 2021-09-30
⋅
Kaspersky Labs
⋅
GhostEmperor’s infection chain and post-exploitation toolset: technical detail GhostEmperor GhostEmperor |
| 2021-09-30
⋅
Kaspersky
⋅
GhostEmperor: From ProxyLogon to kernel mode GhostEmperor GhostEmperor |
| 2021-09-23
⋅
ESET Research
⋅
FamousSparrow: A suspicious hotel guest SparrowDoor GhostEmperor |