research poc
GhostEmperor's Updated Demodex Rootkit Infection Chain AnalyzedDemodex Rootkit (GhostEmperor)
Sygnia's incident response investigation uncovered a new variant of the Demodex rootkit, attributed to the China-nexus GhostEmperor group, targeting telecommunication and government entities. The updated infection chain includes an EDR evasion technique and a reflective loader for the core implant, with compilation dating to July 2021. The malware uses LOLBins, registry persistence, and a malicious service masquerading as a legitimate Windows service.