CrowdStrike uncovered a new campaign of GOBLIN PANDA APT aimed at Vietnam

Pierluigi Paganini September 05, 2018

Researchers from security firm CrowdStrike have observed a new campaign associated with the GOBLIN PANDA APT group.

Experts from security firm CrowdStrike have uncovered a new campaign associated with the GOBLIN PANDA APT group.

The group also knows as Cycldek was first spotted in September 2013, it was mainly targeting entities in Southeast Asia using different malware variants mainly PlugX and HttpTunnel.

In 2014, experts noticed an intensification in the activity of the group that appeared interested in the dispute over the South China Sea.

GOBLIN PANDA was focused on Vietnam, most of the targets were in the defense, energy, and government sectors.

The group is back and is targeting once again Vietnam running a spear phishing campaign that uses weaponized documents featuring Vietnamese-language lures and themes

“Last month, CrowdStrike Intelligence observed renewed activity from GOBLIN PANDA targeting Vietnam. As part of this campaign, new exploit documents were identified with Vietnamese-language lures and themes, as well as Vietnam-themed, adversary-controlled infrastructure.” reads the analysis published by CrowdStrike.

“Two exploit documents with Vietnamese-language file names were observed with file metadata unique to the GOBLIN PANDA adversary.”

The researchers analyzed two weaponized documents written in Vietnamese-language and attributed them to GOBLIN PANDA based their metadata.

The decoy documents have training-related themes and trigger the Office vulnerability CVE-2012-0158 flaw to deliver a malware implant tracked as QCRat by CrowdStrike Falcon Intelligence.

The document did not specifically reference projects related to the Vietnamese government or departments, however, they could be used to trick Government of Vietnam personnel to open them.

According to CrowdStrike, the decoy documents use a previously identified legitimate executable, a side-loading implant Dynamic Link Library (DLL), and new implant configuration files stored as a .tlb file.


The analysis of command and control servers suggests that GOBLIN PANDA hackers are also targeting entities in Laos.

“Analysis of command and control infrastructure suggests that GOBLIN PANDA is targeting entities in Laos, as well. CrowdStrike Intelligence has not directly observed Laotian targeting, and cannot confirm targets in Laos for this campaign, however, previous activity linked to GOBLIN PANDA has targeted this country.” concludes the report.

“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,” 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  APT, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment