[threat-actors] Add GhostEmperor

clusters/threat-actor.json

@@ -14847,6 +14847,18 @@
       },
       "uuid": "083acee6-6969-4c74-80c2-5d442936aa97",
       "value": "RevengeHotels"
+    },
+    {
+      "description": "GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
+          "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"
+        ]
+      },
+      "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
+      "value": "GhostEmperor"
     }
   ],
   "version": 299