EXECUTIVE SUMMARY:
A cyber-espionage campaign has been identified against government entities in Cambodia, primarily focusing on organizations associated with defense, military intelligence, and public infrastructure. The operation employed carefully crafted government-themed lures and social engineering techniques to gain initial access to victim environments. The activity appears to be intelligence-driven, with attackers seeking long-term access to sensitive government networks and information systems. The campaign demonstrates a focused approach toward regional intelligence collection and strategic surveillance objectives.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A cyber-espionage campaign has been identified against government entities in Cambodia, primarily focusing on organizations associated with defense, military intelligence, and public infrastructure. The operation employed carefully crafted government-themed lures and social engineering techniques to gain initial access to victim environments. The activity appears to be intelligence-driven, with attackers seeking long-term access to sensitive government networks and information systems. The campaign demonstrates a focused approach toward regional intelligence collection and strategic surveillance objectives.[emaillocker id="1283"]
The intrusion chain reportedly began with spear-phishing messages delivering self-extracting archive files disguised as official correspondence. Once executed, the archive launched a legitimate VMware executable that was abused to sideload a malicious DLL. This DLL deployed a custom loader known as NIGHTFORGE, which decrypted and executed a Havoc Demon payload directly in memory, reducing the likelihood of detection. The malware incorporated multiple defense-evasion techniques, including NTDLL unhooking, direct system-call resolution methods, in-memory execution, and persistence mechanisms designed to survive system reboots. The attackers reused infrastructure, payloads, and operational components across multiple incidents, suggesting an established toolkit with only minor modifications between campaigns. These techniques enabled the threat actors to maintain access, evade monitoring tools, and facilitate ongoing intelligence collection activities.
This activity demonstrates a well-planned espionage operation targeting high-value government organizations with malware engineered for stealth, persistence, and intelligence collection. The combination of social engineering, DLL sideloading, in-memory payload execution, and advanced evasion techniques highlights the growing sophistication of regional cyber-espionage threats. Organizations operating in government, defense, and critical public sectors should strengthen monitoring for suspicious archive files, DLL sideloading behavior, unauthorized scheduled tasks, and memory-resident malware to reduce the risk of compromise.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1106 | Native API | - | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| T1574.002 | Hijack Execution Flow | DLL | |
| T1218.011 | System Binary Proxy Execution | Rundll32 | |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| T1620 | Reflective Code Loading | - | |
| Credential Access | T1003.001 | OS Credential Dumping | LSASS Memory |
| Discovery | T1057 | Process Discovery | - |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/hackers-abuse-vmware-signed-binary-to-sideload-nightforge-loader/
[/emaillocker]