What is GhostEmperor and how does it operate?

GhostEmperor is a sophisticated malware cluster that uses a multi-stage infection chain, starting with a PowerShell dropper. It leverages encrypted registry keys, custom loaders (in both C++ and .NET), and an in-memory implant injected into svchost.exe. The implant communicates with a C2 server using a Malleable C2 profile, and the rootkit (Demodex) is loaded into kernel mode by abusing a legitimate signed driver (dbk64.sys from Cheat Engine) to execute unsigned code and hide malicious activity.

How does GhostEmperor bypass Windows Driver Signature Enforcement?

GhostEmperor abuses the dbk64.sys driver, a legitimate signed driver from Cheat Engine, to gain kernel-level code execution. This allows the malware to load unsigned drivers without disabling Code Integrity or modifying system files, bypassing Microsoft's Driver Signature Enforcement on modern 64-bit Windows systems.

What techniques does GhostEmperor use to hide its presence?

The Demodex rootkit used by GhostEmperor hides services, registry keys, files, and TCP connections. It manipulates system structures and hooks APIs to unlink services, hide registry entries, and remove TCP connections from system tables, making detection by standard tools difficult.

What is the role of the Malleable C2 profile in GhostEmperor?

The Malleable C2 profile, inspired by Cobalt Strike, allows GhostEmperor's implant to disguise its command-and-control traffic as legitimate communication, making it harder for network defenses to detect malicious activity.

How does GhostEmperor's loader differ between C++ and .NET variants?

The .NET variant derives the decryption key from the infected machine's GUID, making it system-specific, while the C++ variant uses hardcoded AES-256 encryption keys. Both variants decrypt and load the core implant into memory.

What is the function of the dbk64.sys driver in GhostEmperor attacks?

The dbk64.sys driver, originally part of Cheat Engine, is used by GhostEmperor to execute arbitrary code in kernel mode. This enables the malware to load its rootkit and perform privileged operations without triggering standard security controls.

How does GhostEmperor hide TCP connections and registry keys?

GhostEmperor's rootkit hooks system APIs and uses IOCTLs to hide TCP connections within specified port ranges and registry keys related to its operation, making them invisible to standard system utilities and forensic tools.

What are the implications of GhostEmperor's development choices for forensic analysis?

The use of custom loaders, encrypted payloads, and rootkit techniques complicates forensic analysis, as artifacts are hidden or encrypted, and standard detection methods are evaded through kernel-level manipulation.

How does Cymulate help organizations defend against threats like GhostEmperor?

Cymulate enables organizations to simulate advanced persistent threats (APTs) like GhostEmperor, validate their defenses, and identify exploitable vulnerabilities through continuous automated attack simulations and exposure validation. This proactive approach helps organizations stay ahead of sophisticated threats by testing real-world attack scenarios and improving their security posture. Learn more about Exposure Validation .

What is the benefit of using Cymulate's Threat Validation solution over manual penetration testing?

Cymulate's Threat Validation provides automated, continuous security testing with a library of over 100,000 attack actions aligned to MITRE ATT&CK and daily threat intelligence. Unlike manual pen tests, Cymulate offers out-of-the-box integrations, automated mitigation, and actionable remediation, enabling faster and more comprehensive validation of both prevention and detection controls. Read more .

How does Cymulate's Exposure Validation support a threat-informed defense?

Cymulate Exposure Validation continuously tests security controls against the latest threats and attack techniques, ensuring defenses are always prepared for current and emerging adversarial methods. This supports a threat-informed defense strategy by providing real-time validation and actionable insights. Learn more .

What are the key capabilities of Cymulate's platform?

Cymulate offers continuous threat validation, unified Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), exposure analytics, attack path discovery, automated mitigation, AI-powered optimization, and an extensive threat library with over 100,000 attack actions updated daily. These capabilities help organizations improve security posture, operational efficiency, and threat resilience. See platform details .

How does Cymulate integrate with other security technologies?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. These integrations enhance network, cloud, endpoint, and vulnerability management validation. See all integrations .

What security and compliance certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications cover security, availability, confidentiality, privacy, and cloud security controls, ensuring robust compliance and data protection. More on security & compliance .

How easy is it to implement Cymulate?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configuration. Customers can start running simulations almost immediately, and comprehensive support is available via email, chat, and a knowledge base. Schedule a demo .

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a custom quote, schedule a demo with the Cymulate team.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. See more about roles .

What pain points does Cymulate address for security teams?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. See customer stories .

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and exposure analytics, continuous 24/7 validation, AI-powered optimization, ease of use, and measurable outcomes such as a 52% reduction in critical exposures and 81% reduction in cyber risk. See Cymulate vs competitors .

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface, quick implementation, and actionable insights. Testimonials highlight its user-friendly dashboard, immediate value, and accessible support. Read customer quotes .

What are some real-world results achieved with Cymulate?

Organizations have reported an 81% reduction in cyber risk (Hertz Israel, 4 months), a 52% reduction in critical exposures, and a 60% increase in team efficiency. See Hertz Israel case study .

How does Cymulate support compliance and data protection?

Cymulate ensures compliance with SOC2 Type II, ISO 27001, ISO 27701, ISO 27017, and CSA STAR Level 1. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), and the platform includes 2FA, RBAC, and IP restrictions. See compliance details .

What is Cymulate's approach to continuous threat exposure management (CTEM)?

Cymulate's CTEM approach integrates validation, prioritization, and mobilization across teams, helping organizations proactively manage exposures and reduce breach risk. Organizations with CTEM are three times less likely to suffer a breach (Gartner). Learn about CTEM .

How does Cymulate help with vulnerability management?

Cymulate automates validation between penetration tests, prioritizes vulnerabilities based on exploitability, and provides actionable insights for remediation, improving operational efficiency for vulnerability management teams. See vulnerability management .

What is Cymulate's vision and mission?

Cymulate's vision is to transform cybersecurity by enabling organizations to proactively validate defenses, identify vulnerabilities, and optimize security posture. The mission is to empower teams to achieve lasting improvements in threat resilience and operational efficiency. About Cymulate .

How does Cymulate support collaboration across security teams?

Cymulate provides a unified platform for SecOps, red teams, and vulnerability management, enabling collaboration, shared metrics, and a holistic approach to exposure management and threat validation. See platform .

What educational resources does Cymulate offer?

Cymulate offers a knowledge base, webinars, e-books, and an AI chatbot for technical guidance, best practices, and security validation principles. Explore resources .

How does Cymulate's 'Threat (IoC) updates' feature improve threat resilience?

The 'Threat (IoC) updates' feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, enabling rapid defense against new threats and improving overall threat resilience.

How does Cymulate help financial services defend against advanced threats?

Cymulate enables financial services organizations to validate defenses against ransomware, phishing, and advanced persistent threats (APTs) by simulating real-world attacks and ensuring robust security controls for both internal and customer-facing systems. See financial services use case .

What is the impact of an attacker gaining access to domain admin machines?

If an attacker gains access to multiple domain admin machines, they can deploy ransomware, modify Active Directory policies, create backdoors, and disable security tools, leading to significant risk and potential business disruption. See customer stories .

How does Cymulate's platform stay up to date with emerging threats?

Cymulate's SaaS platform is updated every two weeks with new features, threat intelligence, and attack simulations, ensuring customers are protected against the latest threats. Learn more .

Where can I find more technical resources and demos related to Cymulate?

You can access technical resources, demos, and whitepapers on the Cymulate website, including detailed guides on exposure management, threat validation, and case studies. View resources .

GhostEmperor - From ProxyLogon to kernel mode

October 7, 2021

The flow of infection starts with a PowerShell dropper. The purpose of this component is to stage the subsequent element in the chain by installing it as a service. Before doing so, it creates a couple of registry keys that it assigns encrypted data to, one of which corresponds to a payload that will be deployed in the later stages. It's worth noting that the script itself is delivered in a packed form, whereby its complete execution is dependent on a command-line argument that is used as a key to decrypt the bulk of its logic and data. Without this key, it's impossible to recover the flow that comes after this stage. The next stage, which is executed as a service by the former, is intended to serve as yet another precursor for the next phases. It is used to read the encrypted data from the previously written registry keys and decrypt it to initiate the execution of an in-memory implant. Analysts identified two variants of this component, one developed in C++ and another in .NET. The latter, uses the GUID of the infected machine to derive the decryption key, and is thus tailored to be executed on that specific system. The C++ variant, on the other hand, relies on hardcoded AES 256 encryption keys. The third stage is the core implant that operates in memory after being deployed by the aforementioned loader, and is injected into the address space of a newly created svchost.exe process. Its main goal is to facilitate a communication channel with a C2 server, whereby malicious traffic is masqueraded under the guise of communication with a benign service, based on a Malleable C2 profile embedded within its configuration. It is important to note that the implementation of the Malleable C2 feature, which is originally provided in the Cobalt Strike framework, is customized and most likely rewritten based on reverse engineering of Cobalt Strike's code. On modern 64-bit Windows operating systems, it is generally not possible to load an unsigned driver in a documented way due to the Driver Signature Enforcement mechanism introduced by Microsoft. For this reason, attackers have abused vulnerabilities in signed drivers to allow execution of unsigned code to kernel space. A typical approach1 taken by many actors to date, and mostly in older versions of Windows, is to disable the Code Integrity mechanism by switching the nt!g_CiEnabled flag that resides within the CI.DLL kernel module after getting write and execution primitives via vulnerable signed drivers. After shutting down the Code Integrity mechanism, an unsigned driver can be loaded. The approach used by the developer of this rootkit allows loading an unsigned driver without modifying the Code Integrity image and dealing with a potential crash. It abuses features of a legitimate and open-source2 signed driver named dbk64.sys which is shipped along with Cheat Engine, an application created to bypass video game protections and introduce cheats into them. This driver provides capability to write and execute code in kernel space by design, thus allowing it to run arbitrary code in kernel mode. After dropping the dbk64.sys driver with a randomly generated filename to disk and loading it, the malware issues documented3 IOCTLs to the driver that allow shellcode to be run in kernel space. The loaded rootkit, which was dubbed Demodex, serves the purpose of hiding several artefacts of the malware's service. To access the rootkit's functionality, the malware ought to obtain a handle to the corresponding device object, after which the following IOCTLs are available for further use: - 0x220204: Receives an argument with the PID of the svchost.exe process which runs the code of the malicious service and stores it within a global variable. This variable is used by other IOCTLs later on. - 0x220224: Initializes global variables that are later used to hold data such as the aforementioned svchost.exe PID, the name of the malware's service, the path to the malware's DLL and a network port. - 0x220300: Hides the malware's service from a list within the services.exe process address space. The service's name is passed as an argument to the IOCTL, in turn being sought in a system-maintained linked list. The corresponding entry is being unlinked, thus hiding the service from being easily detected. The logic in this handler is reminiscent of the technique outlined here. - 0x220304: This IOCTL is used to register a file system filter driver's notification routine by using the IoRegisterFSRegistrationChange API. The notification routine invoked upon registration of a new file system verifies if it is an NTFS-based one and if so, creates a device object for the rootkit which is attached to the subject file system's device stack. Additionally, both the file system's device object and the associated rootkit device object are registered in a global list maintained by the rootkit's driver. Subsequent attempts to retrieve information from, access or modify the file will fail and generate error codes such as STATUS_NO_MORE_FILES or STATUS_NO_SUCH_FILE. - 0x220308: Hides TCP connections that make use of ports within a given range from utilities that list them, such as netstat. This is done through a known4 method whereby the IOCTL dispatch routine of the NSI proxy driver is hooked and the completion routine is set to one that inspects the port of a given connection. If the underlying connection's port falls within the given range, its entry is removed from the system's TCP table. The two ports that constitute the range are passed as arguments to the IOCTL. - 0x22030C: Hides malware-related registry keys by hooking several registry operations through the CmRegisterCallback API. The authors of the malware components used in the GhostEmperor cluster of activity have made some development choices that have implications on the forensic analysis process.

Featured Resources

View More Resources

blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Demo

Exposure Validation Demo

Demo of automated offensive simulations validating detection, prevention, and IOC coverage

Learn More