GhostEmperor is a PRC state-sponsored threat group known for deploying the Demodex kernel-level rootkit — one of the most sophisticated rootkits observed in the wild. The group targets telecom providers, government agencies, and high-value entities primarily in Southeast Asia and the Middle East, with a focus on maintaining long-term persistent access.
| Attribute | Detail |
|---|---|
| Names | GhostEmperor / FamousSparrow |
| Attribution | PRC State-Sponsored |
| Active Since | 2020 |
| Primary Focus | Advanced kernel-level rootkit (Demodex). Targets telecom, government in Southeast Asia. |
Overview
GhostEmperor is a PRC state-sponsored threat group known for deploying the Demodex kernel-level rootkit — one of the most sophisticated rootkits observed in the wild. The group targets telecom providers, government agencies, and high-value entities primarily in Southeast Asia and the Middle East, with a focus on maintaining long-term persistent access.
Attribution
GhostEmperor / FamousSparrow is attributed to PRC State-Sponsored, active since at least 2020. Advanced kernel-level rootkit (Demodex). Targets telecom, government in Southeast Asia.
Notable Campaigns
- Demodex kernel rootkit deployment across SE Asian telecom
- Government agency targeting in Malaysia, Thailand, Vietnam
- Middle East telecom provider compromise
- ProxyLogon Exchange exploitation for initial access (2021)
- Long-term persistence operations with multi-stage loading
MITRE ATT&CK Mapping
| Technique ID | Technique | Confidence |
|---|---|---|
T1014 | Rootkit | High |
T1059 | Command and Scripting Interpreter | High |
T1071 | Application Layer Protocol | High |
T1005 | Data from Local System | High |
T1190 | Exploit Public-Facing Application | High |
Detection & Defense
Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for GhostEmperor activity patterns.
Mjolnir Security — Threat Intelligence & Response
Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting GhostEmperor TTPs in your environment.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875