Threat Intelligence Tarot
Vol. II · 119
China-aligned
risk 4/5
The Throne of Drivers
GhostEmperor
Demodex operator
Southeast Asian governmentsTelecommunicationsTechnology firms
Active since ~2020 · High-stealth espionage, Long-dwell intelligence collection
The Throne of Drivers sits below the operating system. Its rule does not require the user's notice — userland processes serve at its pleasure, unaware that the kernel itself has been crowned.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1014
Rootkit
Defense Evasion
T1190
Exploit Public-Facing Application
Initial Access
T1027
Obfuscated Files or Information
Defense Evasion
T1071.001
Web Protocols
Command and Control
T1078
Valid Accounts
Persistence
T1090
Proxy
Command and Control
Notable Operations
  • Demodex Windows kernel-mode rootkit (Kaspersky disclosure 2021)
  • Signed-driver loader abuse bypassing Driver Signature Enforcement
  • Southeast Asia government and telecom long-dwell campaigns
  • Re-emergence with refined toolkit (Sygnia tracking 2024)
Defenses
  • Microsoft Vulnerable Driver Blocklist enforcement
    MITRE D3FEND
  • Hypervisor-based code integrity (HVCI) on Windows endpoints
    CIS Control 4
  • Kernel driver inventory and allowlisting
    NIST CSF: PR.IP
  • Boot integrity monitoring with measured boot logs
    NIST SP 800-155
Reversed: Their Weakness
Microsoft's Vulnerable Driver Block List, Driver Signature Enforcement, and kernel-mode allowlisting force this operator into smaller and smaller circles of usable drivers.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Threshold WalkerNext →The Side Master
Related Adversaries
The Tower of Sparrows
Earth Estries
5 shared TTPs
The Patient Colony
Velvet Ant
4 shared TTPs
The Emissary
APT27
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.