{ "id": "58131c57-4085-4faf-907f-24105b34f853", "created_at": "2026-04-06T00:16:39.872905Z", "updated_at": "2026-04-10T03:35:10.564566Z", "deleted_at": null, "sha1_hash": "294d42c456a41c69c9068df0f5eaffc93b132377", "title": "GhostEmperor: Chinese-speaking APT targets high-profile victims using unknown rootkit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55805, "plain_text": "GhostEmperor: Chinese-speaking APT targets high-profile victims\r\nusing unknown rootkit\r\nBy Kaspersky\r\nPublished: 2021-07-29 · Archived: 2026-04-05 22:28:13 UTC\r\nAccording to Kaspersky’s quarterly report, the threat landscape saw an increase in attacks against\r\nMicrosoft Exchange servers in Q2 2021. In the latest APT 2021 Report, Kaspersky reveals the details of a\r\nunique long-standing operation, ‘GhostEmperor’, which uses Microsoft Exchange vulnerabilities to target\r\nhigh-profile victims with an advanced toolset and no affinity to any known threat actor.\r\nAdvanced persistent threat (APT) actors are constantly seeking new, more sophisticated ways to perform\r\ntheir attacks. That is why Kaspersky researchers monitor how APT groups refresh and update their\r\ntoolsets. According to Kaspersky’s quarterly report, the threat landscape saw an increase in attacks against\r\nMicrosoft Exchange servers in Q2 2021. In the latest APT 2021 Report, Kaspersky reveals the details of a\r\nunique long-standing operation, ‘GhostEmperor’, which uses Microsoft Exchange vulnerabilities to target\r\nhigh-profile victims with an advanced toolset and no affinity to any known threat actor.\r\nGhostEmperor is a Chinese-speaking threat actor that has been discovered by Kaspersky researchers. It mostly\r\nfocuses on targets in Southeast Asia, including several governmental entities and telecoms companies.\r\nThis actor stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote\r\ncontrol access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and\r\nsecurity solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a\r\nloading scheme involving the component of an open-source project named “Cheat Engine”. This advanced toolset\r\nis unique and Kaspersky researchers see no affinity to already known threat actors. Kaspersky experts have\r\nsurmised that this toolset has been in use since at least July 2020.\r\n“As detection and protection techniques evolve, so do APT actors. They typically refresh and update their toolsets.\r\nGhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to\r\nexploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers,” comments David Emm, security expert at\r\nKaspersky.\r\nBesides the growth of attacks against Microsoft Exchange servers, Kaspersky experts also highlight the following\r\ntrends on the APT landscape in Q2:\r\nThere has been a rise in APT threat actors leveraging exploits to gain an initial foothold in attacked\r\nnetworks – including the zero-days developed by the exploit developer ‘Moses’ and those used in the\r\nPuzzleMaker, Pulse Secure attacks, and the Microsoft Exchange server vulnerabilities\r\nAPT threat actors continue to invest in refreshing their toolsets: this includes not only the inclusion of new\r\nplatforms but also the use of additional languages, as seen by WildPressure’s macOS-supported Python\r\nhttps://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit\r\nPage 1 of 2\n\nmalware\r\nWhile some of the supply-chain attacks were major and have attracted worldwide attention, Kaspersky\r\nexperts also observed equally successful low-tech attacks, such as BountyGlad, CoughingDown, and the\r\nattack targeting Codecov, which signaled that low-key campaigns still represent a significant threat to\r\nsecurity\r\nTo learn more about GhostEmperor and other significant discoveries of the quarter, read the APT trends report Q2\r\n2021 on Securelist. The report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports,\r\nwhich also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware\r\nhunting. For more information, please contact: intelreports@kaspersky.com\r\nIn order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky\r\nresearchers recommend implementing the following measures:\r\nProvide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence\r\nPortal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by\r\nKaspersky spanning over 20 years. Free access to its curated features that allow users to check files, URLs,\r\nand IP addresses, are available here\r\nUpskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training\r\ndeveloped by GReAT experts\r\nFor endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions\r\nsuch as Kaspersky Endpoint Detection and Response\r\nIn addition to adopting essential endpoint protection, implement a corporate-grade security solution that\r\ndetects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack\r\nPlatform\r\nAs many targeted attacks start with phishing or other social engineering techniques, introduce security\r\nawareness training and teach practical skills to your team – for example, through the Kaspersky Automated\r\nSecurity Awareness Platform\r\nAbout Kaspersky\r\nKaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat\r\nintelligence and security expertise is constantly transforming into innovative security solutions and services to\r\nprotect businesses, critical infrastructure, governments and consumers around the globe. The company’s\r\ncomprehensive security portfolio includes leading endpoint protection and a number of specialized security\r\nsolutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by\r\nKaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at\r\nwww.kaspersky.com.\r\nSource: https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknow\r\nn-rootkit\r\nhttps://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit" ], "report_names": [ "2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ef437d-e8fa-4250-9a99-89a403035ad2", "created_at": "2022-10-25T16:07:24.406019Z", "updated_at": "2026-04-10T02:00:04.977275Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [ "WilePressure" ], "source_name": "ETDA:WildPressure", "tools": [ "Milum" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "115ee14e-a122-47a4-bef7-5d3668cda109", "created_at": "2025-01-10T02:00:03.15179Z", "updated_at": "2026-04-10T02:00:03.800179Z", "deleted_at": null, "main_name": "CoughingDown", "aliases": [], "source_name": "MISPGALAXY:CoughingDown", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c652e4b-2f17-4e18-bd05-af12c27e76fb", "created_at": "2023-11-30T02:00:07.302263Z", "updated_at": "2026-04-10T02:00:03.485667Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [], "source_name": "MISPGALAXY:WildPressure", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434599, "ts_updated_at": 1775792110, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/294d42c456a41c69c9068df0f5eaffc93b132377.pdf", "text": "https://archive.orkl.eu/294d42c456a41c69c9068df0f5eaffc93b132377.txt", "img": "https://archive.orkl.eu/294d42c456a41c69c9068df0f5eaffc93b132377.jpg" } }