Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

China-Linked ‘Cycldek’ Hackers Target Vietnamese Government, Military

China-linked cyber-espionage group Cycldek is showing increasing sophistication in a series of recent attacks targeting government and military entities in Vietnam, according to a report from anti-malware vendor Kaspersky.

China-linked cyber-espionage group Cycldek is showing increasing sophistication in a series of recent attacks targeting government and military entities in Vietnam, according to a report from anti-malware vendor Kaspersky.

Active since at least 2013 and also referred to as Goblin Panda and Conimes, Cycldek is known for the active targeting of governments in Southeast Asia, and their preference for targets in Vietnam.

In June last year, the group was revealed to have used a piece of custom malware to exfiltrate data from air-gapped systems, a clear sign of evolution for a group considered less sophisticated. The more recent attacks, Kaspersky says, show further increase in sophistication.

Running between June 2020 and January 2021, the campaign relied on an infection chain that used DLL side-loading to deliver malicious code that would eventually deploy a remote access Trojan (RAT) to provide the attackers with full control over compromised machines.

As part of an attack against a high-profile Vietnamese organization, a legitimate component from Microsoft Outlook was being abused to load a DLL that would run a shellcode that was acting as a loader for the FoundCore RAT.

Once deployed, the malware would start four processes: one to establish persistence as a service, the second to hide the first process, the third to prevent access to the malicious file, and the fourth to establish connection to the command and control (C&C) server.

FoundCore provides the threat actor with full control over the victim machine. The malware includes support for a variety of commands, allowing for file system manipulation, process manipulation, execution of arbitrary commands, and screenshot grabbing. Other malware delivered as part of the attacks are DropPhone and CoreLoader.

“We observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand,” Kaspersky notes.

Related: Chinese Hackers Cloned Equation Group Exploit Before Leak

Related: Chinese Actor Uses Browser Extension to Hack Gmail Accounts

Related: China-Linked Hackers Exploited SolarWinds Flaw  

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.