Security News > 2021 > October > Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users
A formerly unknown Chinese-speaking threat actor has been linked to a long-standing evasive operation aimed at South East Asian targets as far back as July 2020 to deploy a kernel-mode rootkit on compromised Windows systems.
Attacks mounted by the hacking group, dubbed GhostEmperor by Kaspersky, are also said to have used a "Sophisticated multi-stage malware framework" that allows for providing persistence and remote control over the targeted hosts.
"[Demodex] is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting undocumented loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism," Kaspersky researchers said.
GhostEmperor infections have been found to leverage multiple intrusion routes that culminate in the execution of malware in memory, chief among them being exploiting known vulnerabilities in public-facing servers such as Apache, Window IIS, Oracle, and Microsoft Exchange - including the ProxyLogon exploits that came to light in March 2021 - to gain an initial foothold and laterally pivot to other parts of the victim's network, even on machines running recent versions of the Windows 10 operating system.
Following a successful breach, select infection chains that resulted in the deployment of the rootkit were carried out remotely via another system in the same network using legitimate software such as WMI or PsExec, leading to the execution of an in-memory implant capable of installing additional payloads during run time.
Notwithstanding its reliance on obfuscation and other detection-evasion methods to elude discovery and analysis, Demodex gets around Microsoft's Driver Signature Enforcement mechanism to permit the execution of unsigned, arbitrary code in kernel space by leveraging a legitimate and open-source signed driver named that's shipped alongside Cheat Engine, an application used to introduce cheats into video games.
News URL
Related news
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Windows 10 KB5055518 update fixes random text when printing (source)
- Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug (source)
- Cybersecurity firm buying hacker forum accounts to spy on cybercriminals (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Windows 10 KB5055612 preview update fixes a GPU bug in WSL2 (source)
- Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool (source)
- Microsoft silently fixes Start menu bug affecting Windows 10 PCs (source)
- Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell (source)