GhostEmperor is a threat group first discovered and described by Kaspersky in 2021. It has not been recognized since.

In a late 2023 compromise investigation, Sygnia discovered what it believes to be a variant of the GhostEmperor infection chain leading to the Demodex rootkit – which was first seen and described by Kaspersky in 2021.

Kaspersky had discovered a cluster of activity employing this rootkit and decided to name the cluster GhostEmperor. Kaspersky made several observations about the actor: ‘highly skilled and accomplished’ with an emphasis on stealth; mostly targeting Southeast Asian telco and government entities; no known affiliations with any other actors; and Chinese speaking. However, there has been no public reporting on possible further GhostEmperor activity since then.