Researchers reveal details of actor targeting Southeast Asian countries


Researchers have released details of what they claim to be a Chinese-speaking nation-state actor who has been targeting a number of Southeast Asian countries for more than a year, using Microsoft’s vulnerabilities Exchange as an entry point. The campaign was given the name of GhostEmperor.

Kaspersky’s Mark Lechtik, Aseel Kayal, Paul Rascagneres and Vasily Berdnikov wrote in a long blog post – which also included a separate list of technical details – that the actor used a rootkit which had been adapted to run on Windows 10. The rootkit was named Demodex.

This was loaded using the kernel mode component of an open source project known as the Cheat Engine so as not to be shut down by the Windows Drive Signature Enforcement which was put in place by Microsoft as a valve. of security.

Research is not completely new as Kaspersky has announced some basic details back in July. The expanded version was presented at the company’s annual security analyst summit held this week.

The four researchers said attacks were seen as early as July 2020. Among the countries targeted were Vietnam, Malaysia, Thailand and Indonesia.

Also on the list of attackers were organizations in Egypt, Ethiopia and Afghanistan, some of those targets with close ties to countries in Southeast Asia.

“This means that attackers could have exploited these infections to spy on activities in countries of geopolitical interest to them,” the researchers wrote.

GhostEmperor mainly used hosting services based in Hong Kong and South Korea, such as Daou Technology or Anchent Asia.

The researchers gave as the reason for their attribution the use by the attackers of open source tools such as Ladon or Mimikat_ssp which are popular among these actors.

Additional data points such as the version information found in the resources section of the second stage loader binaries included a legal trademark field with a Chinese character: “Windows 庐 is a registered trademark of Microsoft Corporation” “, have they declared.

Additionally, some similarities were noticed between Demodex and the Derusbi Toolkit which was also used by Chinese speaking actors.

“GhostEmperor is an example of an advanced threat actor who pursues important targets and aims to maintain a long-standing and persistent operation in their environments,” wrote Lechtik, Kayal, Rascagneres and Berdnikov.

“We observed that the underlying actor managed to stay under the radar for months, while still showing finesse when it came to developing the malicious toolkit, a deep understanding of the mindset of an investigator and the ability to counter forensic analysis in a variety of ways. “


The highly anticipated iTWire Shop is now open to our readers.

Visit the iTWire Store, a premier destination for stylish accessories, gear and gadgets, lifestyle products and everyday portable office essentials, drones, smartphone zooms, software and training in line.

PLUS major brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for all countries.

We hope you enjoy and find value in the highly anticipated iTWire store.



iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.

We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.

Additionally, your maintenance post message can be displayed in up to 7 different post views on our site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.

We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.

Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.


Leave A Reply

Your email address will not be published.