{ "id": "d58a105e-2dc4-4fb1-80bd-315572770d5c", "created_at": "2026-04-06T00:08:25.106475Z", "updated_at": "2026-04-10T03:34:28.212847Z", "deleted_at": null, "sha1_hash": "d641d55561a0f4f518a337bfecfb6070c3513bb2", "title": "The Return of Ghost Emperor’s Demodex", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1206765, "plain_text": "The Return of Ghost Emperor’s Demodex\r\nBy Sygnia\r\nPublished: 2024-07-17 · Archived: 2026-04-02 11:02:23 UTC\r\nA Comprehensive Look at the Updated Infection Chain of Ghost Emperor’s Demodex Rootkit.\r\nExecutive Summary\r\nIn late 2023, Sygnia’s Incident Response team was engaged by a client whose network was compromised\r\nand was leveraged to penetrate one of its business partner’s network.\r\nDuring the investigation, several servers, workstations, and users were found to be compromised by a\r\nthreat actor who deployed various tools to communicate with a set of C2 servers.\r\nOne of these tools was identified as a variant of Demodex, a rootkit previously associated with the threat\r\ngroup known as GhostEmperor.\r\nGhostEmperor is a sophisticated China-nexus threat group known to target mostly South-East Asian\r\ntelecommunication and government entities, first disclosed by Kaspersky in a blog published in September\r\n2021.\r\nGhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes\r\nseveral methods to impede analysis process.\r\nUsually, once the threat group gains initial access to the victim’s network by using vulnerabilities such as\r\nProxyLogon, a batch file is executed to initiate the infection chain.\r\nIn this blog we describe a new infection chain deployed by GhostEmperor, which includes several loading\r\nschemes and various obfuscation techniques utilized by the threat group.\r\nIntroduction\r\nDuring Sygnia’s analysis of the forensic findings extracted from the victim’s environment, the team found strong\r\nresemblance to the multi-stage tool which was described in Kaspersky’s blog from 2021. However, our\r\ninvestigation yielded some alterations in the infection chain and a slightly different C++ DLL variant.\r\nAmong these alterations, the variant we analyzed incorporates an EDR evasion technique and uses a reflective\r\nloader to execute the Core-Implant. Additionally, we identified the use of different file names and registry keys.\r\nThe variant we encountered appears to have been compiled in July 2021, suggesting it might be a more recent\r\nversion than the one originally analyzed by Kaspersky.\r\nThis blog post focuses on the key differences we identified and analyzed in the infection chain and the loading\r\nscheme operations.\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 1 of 12\n\nNew Infection Chain Flow Graph\r\nInfection Chain: Process Tree Overview\r\nWMIExec\r\nWMIExec is a command-line tool used for executing commands on remote Windows systems through Windows\r\nManagement Instrumentation (WMI).\r\nIt is part of the Impacket Toolkit, which is an open-source collection of modules written in Python\r\nfor programmatically constructing and manipulating network protocols, that is commonly used by threat actors\r\nand red teams.\r\nDuring our investigation, we observed that the threat actor used this tool to run a batch file, initiating the infection\r\nchain on the victim’s compromised machine. The output logs were saved to a file located at c:\\windows\\temp\r\nusing a local SMB path. The following command was executed:\r\ncmd.exe /Q /c c:\\windows\\vss\\1.bat \u003e \\127.0.0.1\\C$\\Windows\\Temp[generated_string] 2\u003e\u00261\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 2 of 12\n\nSnippet showcasing the WMIExec command being executed on a victim machine with batch script\r\n‘1.bat’\r\nBatch File\r\nThe batch file starts the infection by installing the malware and obtaining persistency by the following actions:\r\nIt starts by dropping a CAB file named “1.cab” to C:\\Windows\\Web. CAB is a compressed archive format\r\ncommonly utilized in Windows to bundle multiple files.\r\nThe batch file then uses expand.exe – a native Windows tool used for file extraction from compressed Cabinet\r\nfiles (.cab), to extract these four files:\r\nprints1m.dll – Service DLL.\r\nService.ps1 – encrypted Powershell.\r\nconfig.REG – registry dump of AES decryption key.\r\nAesedMemoryBinX64.REG – registry dump of AES-encrypted shellcode containing the Core-Implant.\r\nNext, the batch file imports the two registry files using the reg.exe import [file] command to set two registry\r\nkeys with encrypted values, which will be used later to execute the next stage.\r\nSnippet from Registry Explorer showcasing the embedded payload stored in the registry value\r\n‘inputlog’.\r\nThe threat actor employs several LOLBins such as reg.exe and expand.exe within the batch file to achieve\r\nstealthiness as they are legitimate and signed Microsoft built-in tools which do not arouse any suspicion.\r\nThe Batch file proceeds and executes an encrypted PowerShell script, passing a decryption key as a parameter.\r\nThis script contains an encrypted blob, which, once decrypted using the provided key, reveals another PowerShell\r\nscript that is executed.\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 3 of 12\n\nA command line executing the PowerShell script and the decryption argument\r\nPowerShell script\r\nThe decrypted PowerShell script creates a new service named “WdiSystem” that loads the malicious Service DLL\r\n(prints1m.dll). It also creates a service group called “WdiSystemhost” and runs the malicious service within this\r\ngroup. By running the malicious service within the context of the “WdiSystemhost” service group, the threat actor\r\nmasquerades the malware’s execution as a legitimate Windows system process, as it resembles the authentic and\r\nlegitimate WdiSystemHost (“Windows Diagnostic System Host” service).\r\nRogue “WdiSystemhost” service in process list\r\nTo accomplish this technique, the script carries out the following steps:\r\nCreates a service by invoking the New-Service PowerShell command with svchost.exe as the binary path\r\nof the service.\r\nCreates a service group named “WdiSystemhost” by adding a new registry key in\r\nHKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentCersion\\SvcHost :\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 4 of 12\n\nRegistry view of service groups managed by svchost\r\nThe lowercase “host” in the name suggests it is a rogue version. The original name is “WdiSystemHost”\r\nWires the malicious service DLL (prints1m.dll) to the service by setting a “ServiceDll” registry key with\r\nthe DLL’s path as the value, located in\r\nHKLM:\\SYSTEM\\CurrentControlSet\\Services\\WdiSystem\\Parameters .\r\nRegistry view of the key that dictates the DLL associated with the malware’s service.\r\nRuns the service by invoking the Start-Service PowerShell command.\r\nLaunches the malicious service DLL (prints1m.dll) as a service which is executed within the service group.\r\nThe PowerShell script after decryption\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 5 of 12\n\nPrints1m.dll – Service DLL\r\nThis Service DLL dynamically loads all of the necessary functions it requires for operation by navigating through\r\nan internal OS structure named Process Environment Block, which contains the already loaded libraries and\r\nfunctions in the process.\r\nThe Kernel32 library, loaded by default in every process, is used by the malware to access the LoadLibraryA\r\nfunction, which is responsible for loading DLLs into the process.\r\nSubsequently, an encrypted configuration located at the DLL’s data section (offset 0x4050) is decrypted using a\r\ncustom decryption scheme, which contains the following parameters:\r\nInitial sleep time.\r\nRegistry paths of the shellcode location (which was established by the batch file).\r\nA list of module and function names required for operation (offset 0x45F0).\r\nThe service uses this list to create an in-memory Import Address Table, loading the modules it requires using the\r\nLoadLibraryA function, and traverses each module’s export table to obtain the necessary functions.\r\nPart of service’s code to dynamically load necessary functions\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 6 of 12\n\nMemory view of the decrypted configuration, showing the list of functions\r\nMemory view of the decrypted configuration, showing the path of the encrypted shellcode\r\nAfter setting up an anti-hooking technique (which will be described in the next section), the service\r\ninitiates the next stage by spawning a new thread. It then sleeps for 15 seconds before attempting to decrypt and\r\nexecute the next stage, which is retrieved from the registry keys set by the batch file. In case of failure, it retries at\r\nintervals of 30 to 60 seconds until successful execution is achieved.\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 7 of 12\n\nSnippet of code showing the decryption loop\r\nEDR Evasion and Anti-User-Mode Hooking Technique\r\nAntivirus and EDR solutions typically inject DLLs into the address space of running applications to facilitate user-mode hooking, thus identifying and preventing malicious activity within the processes.\r\nDuring our investigation we observed that the threat actor added an evasion technique to the Service DLL by\r\nsetting a specific mitigation policy to the process:\r\nCalling SetMitigationPolicy with ProcessSignaturePolicy as parameter to set the mitigation policy\r\nMitigation policies, such as ASLR, DEP and CFG, are security measures implemented by the OS to mitigate\r\nattacks and vulnerabilities such as Buffer Overflows and Code Injections. Some of these mitigation policies are\r\nenabled in the process by default. In our investigation, the threat actor set up a particular mitigation named\r\n“ProcessSignaturePolicy” which forbid loading DLLs that are not signed by Microsoft to the process.\r\nThis means that any security solution trying to inject a DLL not signed by Microsoft will fail to do so. This\r\ntechnique helps circumvent analysis tools by limiting user-mode hooking.\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 8 of 12\n\nService’s mitigation policies\r\nThe fact that many antivirus vendors employ DLLs with a legitimate Microsoft signature, and that some security\r\nsolutions inject their DLLs prior to the invocation of SetProcessMitigationPolicy, limits the effectiveness of this\r\nmethod.\r\nShellcode and Reflective loader\r\nThe Service DLL reads two encrypted registry keys that were set by the batch file:\r\n“AKey” – an AES decryption key\r\n“inputlog” – an AES-encrypted shellcode containing the core-implant.\r\nSnippet from Sandbox execution of the threat actor’s malicious service showing the read activity\r\nperformed by the service of the two registry keys\r\nThe service employs the AES algorithm to decrypt the encrypted shellcode retrieved from the “inputlog” registry\r\nkey. It sets the decryption key from the “AKey” value and uses a null byte array as the Initialization Vector (IV).\r\nThe shellcode consists of a Position-Independent shellcode functioning as a reflective loader, alongside a\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 9 of 12\n\ncorrupted Portable Executable (PE) file, positioned at offset 0x4000. Certain headers within the PE file have been\r\ndeliberately stripped to enhance resistance to analysis and detection. Specifically, the “MZ” and “PE” headers\r\nhave been nullified, and the DOS Stub has been removed.\r\nJump\\trampoline at the Start of the shellcode\r\nCorrupted PE file located at offset 0x4000\r\nThe shellcode loads the core-implant DLL using a reflective loader which performs the following steps:\r\nAllocates memory for the core-implant DLL.\r\nParses the custom PE headers of the core-implant.\r\nMoves each section to its proper location in the allocated memory.\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 10 of 12\n\nCode snippet parsing DLL sections and relocating them to the appropriate memory locations\r\nPerforms relocation of the code and data sections to match the new base address.\r\nResolves the import table.\r\nSets proper memory protections.\r\nCode snippet applying correct protections for each section\r\nExecutes the now-ready Core-Implant by calling its Entry Point.\r\nCore-Implant\r\nThe Core-Implant handles two main tasks – managing Command and Control (C2) communication and installing\r\nthe Demodex kernel rootkit. To load Demodex, the threat actor had to bypass the Driver Signature Enforcement\r\n(DSE) security feature, which blocks unsigned drivers.\r\nTo do that, the threat actor leveraged “Cheat Engine”, an open-source tool used for video game cheating, and\r\nutilized its signed driver, dbk64.sys, to manipulate memory and execute code in kernel space. the threat actor used\r\nthis driver to map and execute a shellcode in kernel space which patches the IOCTL Dispatcher of the dbk64.sys\r\ndriver. This modification adds functionality to the driver that enables it to load the Demodex driver.\r\nAn analysis of the Core-Implant’s metadata shows that the threat actor modified the compilation and export-table\r\ntimestamp of the Core-Implant to 12 Feb 2016. However, the timestamp of the debug section is set to 02 July\r\n2021, which might indicate that this is the actual time this implant was created.\r\nCore-Implant’s timestamps retrieved from PE Studio\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 11 of 12\n\nAppendix – IOC\r\nDescription Hash\r\nService DLL – prints1m.dll\r\nMD5: 4bb191c6d3a234743ace703d7d518f8f\r\nSHA1: 43f1c44fa14f9ce2c0ba9451de2f7d3dd1a208de\r\nPowerShell script – service.ps1\r\nMD5: 95e3312de43c1da4cc3be8fa47ab9fa4\r\nSHA1: a59cca28205eeb94c331010060f86ad2f3d41882\r\nCheat Engine driver – dbk64.sys\r\nMD5: d8ebfd26bed0155e7c4ec2ca429c871d\r\nSHA1:  bab2ae2788dee2c41065850b2877202e57369f37\r\nC2 Domain imap.dateupdata[.]com\r\nC2 IP 193.239.86.168\r\nSource: https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nhttps://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\r\nPage 12 of 12\n\nchain on the victim’s using a local SMB compromised path. The following machine. The command output logs were was executed: saved to a file located at c:\\windows\\temp\ncmd.exe /Q /c c:\\windows\\vss\\1.bat \u003e \\127.0.0.1\\C$\\Windows\\Temp[generated_string] 2\u003e\u00261\n Page 2 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/" ], "report_names": [ "ghost-emperor-demodex-rootkit" ], "threat_actors": [ { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434105, "ts_updated_at": 1775792068, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d641d55561a0f4f518a337bfecfb6070c3513bb2.pdf", "text": "https://archive.orkl.eu/d641d55561a0f4f518a337bfecfb6070c3513bb2.txt", "img": "https://archive.orkl.eu/d641d55561a0f4f518a337bfecfb6070c3513bb2.jpg" } }