APT / THREAT GROUP
GhostEmperor
🇨🇳China-attributed
7
aliases
Last seen:Mar 17, 2026
Intelligence Profile
GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.
Threat Analysis
GhostEmperor is a known-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Origin🇨🇳 China
Aliases7
SourceMalpedia
Also Known As
FamousSparrowGhostEmperorUNC2286RedMikeSalt TyphoonOPERATOR PANDAwin.ghostemperor
External Intelligence
Malpedia: win.ghostemperorResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.