From c97fc15d59a9b13f43445810b4693dc03f15d3ff Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 5 Feb 2024 09:20:11 -0800
Subject: [PATCH] [threat-actors] Add GhostEmperor

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 862d9b2..e3ec656 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14847,6 +14847,18 @@
       },
       "uuid": "083acee6-6969-4c74-80c2-5d442936aa97",
       "value": "RevengeHotels"
+    },
+    {
+      "description": "GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation",
+          "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"
+        ]
+      },
+      "uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
+      "value": "GhostEmperor"
     }
   ],
   "version": 299