Rectifyq📃Title: GhostEmperor: From ProxyLogon to kernel mode
📅Date: 2021-09-30
🔗References:
- https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: campaign-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer Kaspersky
- target-information=“Malaysia”
- target-information=“Afghanistan”
- target-information=“Egypt”
- target-information=“Ethiopia”
- target-information=“Indonesia”
- target-information=“Thailand”
- target-information=“Vietnam”
- malpedia=“GhostEmperor”
- online-service=“3b16bb5a-eb4f-4603-a909-bebc5df4a46d”
- malpedia=“Ladon”
- malpedia=“MimiKatz”
- malpedia=“PowerCat”
- threat-actor GhostEmperor
- mitre-attack-pattern=[]
MISP event uuid: c5796e2a-1297-4f8f-b559-00169e2fb88f
Indicator of Compromise (IoCs)
type,value,comment
md5, 1bc301aa9b861f762ce5f376228e992a, 'Stage 2 – Service DLL No sample in VT\r\nLast check:09/05/2025'
hostname, imap.newlylab.com, ''
hostname, mail.reclubpress.com, ''
hostname, imap.webdignusdata.com, ''
domain, freedecrease.com, ''
domain, aftercould.com, ''
domain, datacentreonline.com, ''
hostname, game.newfreepre.com, ''
ip-dst, 27.102.113.57, ''
ip-dst, 27.102.113.240, ''
ip-dst, 27.102.114.55, ''
ip-dst, 27.102.115.51, ''
ip-dst, 27.102.129.120, ''
ip-dst, 107.148.165.158, ''
ip-dst, 154.223.135.214, ''
Full IOCs available in Rectifyq's MISP```