Security News > 2021 > September > GhostEmperor hackers use new Windows 10 rootkit in attacks

Chinese-speaking cyberspies have targeted Southeast Asian governmental entities and telecommunication companies for more than a year, backdooring systems running the latest Windows 10 versions with a newly discovered rootkit.
The hacking group, dubbed GhostEmperor by Kaspersky researchers who spotted it, use the Demodex rootkit, which acts as a backdoor to maintain persistence on compromised servers.
"To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named 'Cheat Engine',"Kaspersky said in July when it released the first details regarding this threat actor.
GhostEmperor also uses a "Sophisticated multi-stage malware framework" that allows the attackers with remote control capabilities over breached devices to provide remote control over the attacked servers.
"The attackers conducted the required level of research to make the Demodex rootkit fully functional on Windows 10, allowing it to load through documented features of a third-party signed and benign driver."
Further technical details regarding GhostEmperor's tactics and the Demodex rootkit can be found in Kaspersky's deep dive and report.
News URL
Related news
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- Russian military hackers deploy malicious Windows activators in Ukraine (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Windows 10 KB5052077 update fixes broken SSH connections (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)