VERY IMPORTANT

This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, including a batch file, PowerShell script, and malicious service DLL, which ultimately loads a reflective loader and the core implant. The core implant handles command-and-control communication and installs the Demodex kernel rootkit, leveraging Cheat Engine's signed driver to bypass driver signature enforcement.