The Return of Ghost Emperor’s Demodex

NetmanageIT OpenCTI - opencti.netmanageit.com

The Return of Ghost Emperor’s Demodex



SUMMARY :

This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, including a batch file, PowerShell script, and malicious service DLL, which ultimately loads a reflective loader and the core implant. The core implant handles command-and-control communication and installs the Demodex kernel rootkit, leveraging Cheat Engine's signed driver to bypass driver signature enforcement.

OPENCTI LABELS :

rootkit,demodex,ghost emperor


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


The Return of Ghost Emperor’s Demodex