A new Chinese-speaking threat actor, tracked as GhostEmperor, that is targeting Microsoft Exchange vulnerabilities in attacks aimed at high-profile victims.

GhostEmperor used a loading scheme that relies on a component of the Cheat Engine open-source project, which allows it to bypass the Windows Driver Signature Enforcement mechanism.

The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions.

To bypass the Windows Driver Signature Enforcement mechanism, Ghost Emperor uses a loading scheme involving a component of an open-source project named “Cheat Engine”.

The cluster discovered by the experts also employed a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.

Multiple threat actors targeted Microsoft Exchange vulnerabilities this year, however, GhostEmperor operation has no overlap with other ones.

GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.