GhostEmperor APT (also known as GhostEmperor, Salt Typhoon (partial overlap)) is a state-sponsored advanced persistent threat group attributed to China, active since 2020. The group primarily targets telecom, government in Southeast Asia and Middle East sectors.
Overview & Attribution
Highly sophisticated Chinese APT deploying kernel-level rootkits and advanced anti-forensic techniques to maintain persistent access in telecom and government networks.
GhostEmperor APT has been active since 2020, attributed to China. The group is known for targeting telecom, government in Southeast Asia and Middle East using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: China
- Active since: 2020
- Primary targets: telecom, government in Southeast Asia and Middle East
- Also known as: GhostEmperor, Salt Typhoon (partial overlap)
Arsenal & Tools
GhostEmperor APT employs a diverse arsenal of custom and shared tooling:
- Demodex rootkit: Custom/shared tooling used in operations
- custom kernel drivers: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on telecom, government in Southeast Asia and Middle East sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
GhostEmperor APT is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Execution | T1059.001 PowerShell | Post-exploitation |
| Persistence | T1547.006 Kernel Modules | Demodex kernel rootkit |
| Defense Evasion | T1014 Rootkit | Kernel-mode stealth |
| Defense Evasion | T1562.001 Disable Security Tools | Security product evasion |
| Lateral Movement | T1210 Exploitation of Remote Services | Network exploitation |
| C2 | T1573.001 Encrypted Channel | Encrypted C2 |
Notable Campaigns
GhostEmperor APT has been linked to multiple significant campaigns targeting telecom, government in Southeast Asia and Middle East organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known GhostEmperor APT IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with Demodex rootkit and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known GhostEmperor APT TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against GhostEmperor APT
Mjolnir Security provides specialized capabilities to detect and respond to GhostEmperor APT operations.
- APT Threat Hunting Proactive hunting for GhostEmperor APT TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of GhostEmperor APT campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts