• Military
• WMD

• Intelligence Menu               

• Systems
• Operations
• Countries
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Imagery
• Links

• Homeland Security
• Space

GhostEmperor

GhostEmperor [aka: FamousSparrow, Salt Typhoon, UNC2286] is a sophisticated China-nexus threat group known to target mostly South-East Asian telecommunication and government entities. GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process. Usually, once the threat group gains initial access to the victim’s network by using vulnerabilities such as ProxyLogon, a batch file is executed to initiate the infection chain.

Ghost Sovereign in fandom gaming, also known as Lord of Ghost Dao, is the Emperor of Ghost World which is a similar world to Immortal World. He lays down Ghost Emperor Seal on talented powerhouses and when they are powerful enough, he calls them to Ghost World and absorb them in his main body. The Ghost Emperor is a fictional character in Pili Puppet Show. The Demon Realm Ghost Emperor is the overlord of the Second Demon Realm. He is arrogant, irritable, short-sighted, and intolerant. He lacks wisdom, tolerance, and skills. Even though his subordinates are talented and powerful, he is still a powerful person.

In ancient Chinese legends, Fengdu Emperor holds the highest position among the gods of the underworld , and is in charge of all ghosts in the underworld . All living beings are thrown into hell after death, and their souls are all under the jurisdiction of Fengdu Emperor, who kills and lives ghosts and punishes them according to the sins they committed during their lifetime.

Ge Hong recorded the "Five Ghost Emperors" in "Records of the Immortals of Yuanshi Shangzhen" and " The Pillow Book ". The text states: The Eastern Ghost Emperor rules Taozhi Mountain, the Southern Ghost Emperor rules Luofu Mountain, the Western Ghost Emperor rules Fanzhong Mountain, the Central Ghost Emperor rules Baodui Mountain; and the Northern Ghost Emperor is Zhang Heng and Yang Yun, who rule Luofeng Mountain.

GhostEmperor was initially identified by Kaspersky Lab in September 2021. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, it was decided to dub the underlying cluster GhostEmperor. The investigation into this activity indicated that the underlying actor is highly skilled and accomplished in their craft, both of which were evident through the use of a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques.

The underlying actor managed to remain under the radar for months, all the while demonstrating a finesse when it came to developing the malicious toolkit, a profound understanding of an investigator’s mindset and the ability to counter forensic analysis in various ways. Additionally, while rootkits are generally considered a deprecated method of attack, this case and other recent ones show that with a creative approach they can still be leveraged to gain a considerable level of stealth. The attackers conducted the required level of research to make the Demodex rootkit fully functional on Windows 10, allowing it to load through documented features of a third-party signed and benign driver. This suggests that rootkits still need to be taken into account as a TTP during investigations and that advanced threat actors, such as the one behind GhostEmperor, are willing to continue making use of them in future campaigns.

Kaspersky attributed this activity to a formerly unknown Chinese-speaking threat actor. This is due to the fact that the attackers made use of open-source tools such as Ladon or Mimikat_ssp that are popular among such actors, with additional data points such as version info found within the resource section of second stage loader binaries that included a legal trademark field with a Chinese character.

WMIExec is a command-line tool used for executing commands on remote Windows systems through Windows Management Instrumentation (WMI). It is part of the Impacket Toolkit, which is an open-source collection of modules written in Python for programmatically constructing and manipulating network protocols, that is commonly used by threat actors and red teams.

Amir Sadon, Sygnia’s director of incident response research, told Recorded Future News the company was unsure why there had been no public reporting on GhostEmperor’s activities in the intervening period. “I would honestly say we don’t know. Part of the reason we have decided to make this public is that we would like to know what has changed, and what was the reason for this gap — whether it’s a result of a lack of activity or a result of a lack of visibility,” said Sadon, hoping that the intelligence the company was sharing would drive further public reporting.

Azeem Aleem, Sygnia's managing director, told Recorded Future News that the group had matured since Kaspersky’s initial report in terms of the “pretty sophisticated” way the rootkit evaded EDR protections, and stressed that the supply-chain aspects of the attack on Syngia’s client was a significant matter of concern. “We are seeing, again and again — especially in this scenario, when we went into the customer’s domain — that people are not aware of their environment,” said Aleem.