GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.
Also known as
FamousSparrow, UNC2286, Salt Typhoon, RedMike, OPERATOR PANDA.
References
- securelist.com
- media.kasperskycontenthub.com
- welivesecurity.com
- ncsc.gov.uk
- cloud.google.com
- sygnia.co
- wsj.com
- recordedfuture.com
Actor metadata imported from Malpedia (Fraunhofer FKIE).