Security Experts:

Connect with us

Hi, what are you looking for?



GOBLIN PANDA Targets Vietnam Again

CrowdStrike security researchers have observed renewed activity associated with GOBLIN PANDA, a threat actor mainly targeting entities in Southeast Asia.

CrowdStrike security researchers have observed renewed activity associated with GOBLIN PANDA, a threat actor mainly targeting entities in Southeast Asia.

First observed in 2013 and highly active in 2014, when a conflict over territory in the South China Sea was generating high tension, GOBLIN PANDA is known to focus on Vietnam. Also referred to as Cycldek, the actor has been primarily targeting entities in the defense, energy, and government sectors.

Last month, the group was observed targeting Vietnam once again, as part of a campaign that employed exploit documents featuring Vietnamese-language lures and themes. The adversary-controlled infrastructure leveraged as part of the attacks was Vietnam-themed as well.

The security researchers observed two exploit documents with Vietnamese-language file names that packed metadata unique to the GOBLIN PANDA adversary. When opened, the files display Microsoft Office Word documents with training-related themes as decoys.

“These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel,” CrowdStrike says.

These documents attempt to exploit an old Office vulnerability, namely CVE-2012-0158. The exploit code would drop the side-loading malware implant tracked as QCRat onto the compromised machine.

The documents, CrowdStrike discovered, use a “previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.”

While analyzing the command and control infrastructure associated with the campaign, the security researchers discovered indicators that the threat actor might be targeting entities in Laos as well. However, no attacks have been observed and CrowdStrike says it cannot confirm targets in Laos for this campaign, although GOBLIN PANDA has targeted this country before.

“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,” CrowdStrike concludes.

Related: China-linked Hackers Target Engineering and Maritime Industries

Related: Cyber Espionage Targets Interests in South China Sea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...