The “GhostEmperor” threat group, connected to China, is back, targeting governments and telcos

GhostEmperor, a Chinese cyberespionage hacker group, has returned after disappearing since 2021. The group, known for targeting governments and telcos, has reintroduced its evasive technologies and continues persistent attacks.

Syngia engaged an attacker on July 17 to protect a compromised client’s network and breached a victim’s partner. Researchers discovered the attacker used familiar tools, including a variant of the Demodex rootkit, which was used by Chinese threat group GhostEmperor in 2021.

GhostEmperor Attribution & Advanced Techniques

Sygnia digital forensics claims that GhostEmperor compromised the workstations, servers, and users of an undisclosed company. They also installed tools and malware payloads and created a channel of communication between the compromised resources and the C2 hacker-controlled servers.

Based on their investigation and forensic evidence, Syngia experts are convinced that GhostEmperor was the one who carried out the attack. While they admit that attribution is difficult and that there is never 100% certainty, they reassure Techopedia that all operational and technological indicators point to the Chinese threat organization.

Why Are GhostEmperor Back, and Where Did They Go?

Techopedia asked Sadon and Nizar from Syngia about GhostEmperor’s disappearance and return. They explained that they cannot explain it based on the incident, but they suggest they may have continued operating since 2021 but remained under security vendor radar. They also suggested they may have suspended Demodex usage.

The GhostEmperor attack, which was publicly exposed in July 2021, was found to have a variant rootkit compiled in that year, indicating that the group is highly dangerous in a cybercriminal world dominated by fileless attacks, credential stuffing, and social engineering.

GhostEmperor, a sophisticated, hard-coded, and updated cyber threat, is not just stealing credentials and redistributing items but can also breach Windows operating systems in the future.

What the Tech of GhostEmperor Says About the Organization and Its Members

GhostEmperor, a Chinese threat actor, employs high-level technical knowledge and experience, as evidenced by their use of WMIExec, a command-line tool for remote Windows system execution.

WMIExec is a Python module in the Impacket Toolkit, used by penetration testers and security teams for network protocol manipulation. GhostEmperor uses complex payload delivery and auto-installation methods, including registry imports, anti-user-mode hooking, and evasion of EDR detection.

Target, Region, and Long-Term Persistence Espionage Profiles

Sygnia researchers revealed that the Demodex infection chain was initiated in the client’s environment six months before their engagement, indicating a persistent breach that could last for months to a year.

Chinese-nation-supported groups have successfully breached U.S. infrastructure over five years, aligning with cyberspionage feats. Techopedia inquired about GhostEmperor’s focus from Southeast Asian governments and Telcos to other regions and sectors.

Experts advise against sharing sector-specific information or customer identities in order to preserve privacy. The publication seeks to increase vendors’ and security researchers’ understanding of specific actions and techniques.

Strategies for Mitigation Against EDR Bypassing Methods

Syngia researchers discovered that ProcessSignaturePolicy is a useful EDR evasion method since it stops user-mode hooking by prohibiting non-signed Microsoft DLLs from loading into a process.

Syngia researchers suggest a technique for early process execution, effective against EDRs relying on user-mode monitoring but less effective against kernel-mode components and potentially flagging suspicious behavior, despite challenges in modern EDRs.

The Bottom Line

GhostEmperor, a Chinese cyberespionage group targeting Southeast Asian governments and telecommunications companies, has re-emerged after three years, using advanced evasion techniques and multi-stage malware.

GhostEmperor’s return underscores the need for robust cybersecurity measures, including endpoint detection and response solutions, to counter advanced persistent threat (APT) groups’ undetected threats.