![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094910/abstract_digital_emperor-800x450.jpg)
GhostEmperor: From ProxyLogon to kernel mode
While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.