A new report shows that in Q2, 2021 the threat environment experienced major growth in cyberattacks against Microsoft Exchange servers.

Last week, Kaspersky security specialists disclosed in Kaspersky’s APT Trends Q2 2021 report the specifics of a unique, long-standing Advanced Persistent Threat (APT) campaign dubbed GhostEmperor. 

According to the report, the Chinese-speaking APT GhostEmperor took advantage of Microsoft Exchange flaws in order to attack high-profile entities with an advanced toolkit that had been functional from as early as July 2020.

The ongoing campaign performed by this hacking threat actor mostly targeted Southeast Asia-based organizations, including various government entities and telecommunications businesses.

The report indicates that the operation used a previously unfamiliar Windows kernel-mode rootkit and an advanced multi-stage malware framework meant to provide remote control over the damaged servers.

Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine. This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors.


The cybersecurity provider spotted the GhostEmperor campaign while looking into several operations targeting Microsoft Exchange servers. Security experts state that the GhostEmperor Advanced Persistent Threat (APT) is a brand new danger as it doesn’t act like any other known threats.

David Emm, a security expert at Kaspersky declared:

As detection and protection techniques evolve, so do APT actors. They typically refresh and update their toolsets.

GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.

The cybersecurity organization’s report reminds us once again that advanced threat actors will continue to adapt and evolve, change their strategies, invest in their toolsets, and launch new waves of activity.

Asian Government Entities Targeted by Chinese Cyberspies in APT Campaign

Heimdal™ Proactively Protects Its Customers Against Microsoft Exchange Server Exploit

Leave a Reply

Your email address will not be published. Required fields are marked *