A new Chinese-speaking threat actor has been discovered targeting Microsoft Exchange vulnerabilities. Tracked as GhostEmperor, the group aimed its attacks toward high-profile victims. It is using a toolset and has no similarity or links to any known threat group.

What happened?

Kaspersky’s APT Trends Q2 2021 report stated that GhostEmperor has been mostly targeting government and telecom entities in Southeast Asia.
  • The group uses a formerly unknown Windows kernel-mode rootkit to gain remote control over targeted servers.
  • To evade the Windows Driver Signature Enforcement service, the threat group is using a loading scheme that includes a component of an open-source project known as Cheat Engine.
  • Its advanced toolset has been actively in use since at least July 2020 and has no similarity to other toolsets used by other known threat actors.
  • Additionally, experts revealed that attackers employ a sophisticated multi-stage malware framework to facilitate remote control over the targeted servers.

Additional insights

Along with a significant increase in targeted attacks against Microsoft Exchange servers, Kaspersky researchers have shed light on some other ongoing trends in the APT landscape for Q2.


In recent times, several Chinese APT groups have been discovered targeting government agencies and private organizations across Asia, as well as across the globe. GhostEmperor threat group depicts how adversaries find ways to exploit vulnerabilities to target new victims. The use of unknown and advanced rootkits, as in this case, poses a greater danger for enterprise products such as Microsoft Exchange servers.

Cyware Publisher