2 August 2021

New Chinese-speaking cyberespionage group targets high-profile victims in Southeast Asia


New Chinese-speaking cyberespionage group targets high-profile victims in Southeast Asia

Security researchers at Kaspersky discovered a previously undocumented cyberespionage campaign that uses vulnerabilities in Microsoft Exchange email software in attacks targeting high-profile victims in Southeast Asia, including government entities and telecom companies.

Dubbed GhostEmperor, the Chinese-speaking threat actor has been observed using a never-before-seen Windows kernel-mode rootkit that provides remote access to target servers.

GhostEmperor leverages a loading scheme involving a component of an open-source project named “Cheat Engine,” which allows them to bypass the Windows Driver Signature Enforcement mechanism. This advanced toolset, which has been in use since at least July 200, is unique, Kaspersky says, and bears no similarity to already known threat actors.

“As detection and protection techniques evolve, so do APT actors,” said David Emm, security expert at Kaspersky. “They typically refresh and update their toolsets. GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.”


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021