CN

GhostEmperorGhostEmperor

Also known as: FamousSparrow · UNC2286 · Salt Typhoon · RedMike · OPERATOR PANDA · GhostEmperor

Origin
CN
Known aliases
6

Profile

GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.

Aliases· 6

FamousSparrowUNC2286Salt TyphoonRedMikeOPERATOR PANDAGhostEmperor

References

  1. https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
  2. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf
  3. https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/
  4. https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf
  5. https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation
  6. https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
  7. https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835
  8. https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
GhostRedirector
Actor
GhostR
Actor
Unnamed Actor
Actor
TEMPER PANDA
Actor
Flax Typhoon
Actor
UNC3569
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.