Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A newly identified threat cluster tracked as Khmer Shadow is running espionage-oriented operations against Cambodian government organizations, particularly in the defense and public works sectors. The attackers use a custom C++ loader named NIGHTFORGE to sideload a Havoc Demon payload directly into memory. The campaign also employs advanced evasion methods, including NTDLL unhooking and Hell’s Gate syscall resolution, to reduce visibility and bypass security controls.
Investigation
Acronis TRU uncovered two separate campaigns that used meeting-themed self-extracting archives as the initial delivery method. Analysts examined the NIGHTFORGE loader and documented its ability to resolve syscalls dynamically and unhook NTDLL in order to conceal malicious activity. The investigation also connected multiple command-and-control environments by pivoting on shared JARM fingerprints and reused Cloudflare Origin Certificates.
Mitigation
Organizations should implement strong monitoring for suspicious DLL sideloading behavior, especially when legitimate signed binaries such as VMwareNamespaceCmd.exe are involved. Defenders should also watch for unauthorized scheduled task creation and unusual child processes, including gpupdate.exe, being launched by unexpected parent processes. Endpoint protection capable of detecting direct syscall activity and memory-resident payloads can further improve coverage.
Response
If Khmer Shadow activity is detected, affected systems should be isolated immediately to disrupt further command-and-control communication. Investigators should perform forensic analysis of the %LOCALAPPDATA% directory to identify any persistent VMwareNamespace-related artifacts. Network logs should also be reviewed for outbound HTTPS traffic to the known command-and-control domains, and credentials used on compromised systems should be reset.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef malware fill:#ff9999 classDef tool fill:#cccccc classDef process fill:#ccffcc classDef network fill:#ffff99 %% Node Definitions action_phishing["<b>Action</b> – <b id='T1566.001'>T1566.001 Spearphishing Attachment</b><br/><b>Description</b>: Delivering malicious attachments via email.<br/><b>File</b>: Contact_Letter_To_Ms_Pech_ICB_Cambodia_On_Collaboration.pdf.exe"] class action_phishing action proc_sideload["<b id='T1218'>T1218 System Binary Proxy Execution</b><br/><b>Description</b>: Using legitimate binaries to execute malicious code.<br/><b>Binary</b>: VMwareNamespaceCmd.exe<br/><b>Sideloaded DLL</b>: vmtools.dll"] class proc_sideload process malware_nightforge["<b id='NIGHTFORGE'>Malware</b>: NIGHTFORGE Loader<br/><b>Action</b> – <b id='T1140'>T1140 Deobfuscate/Decode Files or Information</b><br/><b>Description</b>: Using custom XOR decryption to decode shellcode.<br/><b>Action</b> – <b id='T1027.007'>T1027.007 Dynamic API Resolution</b><br/><b>Description</b>: Bypassing EDR using Hell's Gate syscall resolution."] class malware_nightforge malware action_persistence["<b id='T1137'>T1137 Office Application Startup</b><br/><b>Description</b>: Using COM APIs to ensure persistence.<br/><b>Mechanism</b>: Registered scheduled task named VMwareNamespace<br/><b>Frequency</b>: Repeats every 10 minutes."] class action_persistence action tool_kaynldr["<b id='KaynLdr'>Tool</b>: KaynLdr<br/><b>Action</b> – <b id='T1620'>T1620 Reflective Code Loading</b><br/><b>Description</b>: Reflectively loading the final stage into memory."] class tool_kaynldr tool malware_havoc["<b id='Havoc'>Malware</b>: Havoc Demon Implant<br/><b>Description</b>: Final stage implant running in memory."] class malware_havoc malware action_c2["<b id='T1102.002'>T1102.002 Web Service: Bidirectional Communication</b><br/><b>Description</b>: Establishing Command and Control via HTTPS POST.<br/><b>C2 URL</b>: www[.]sharingfile[.]cloud<br/><b>Evasion</b>: Mimics standard Chrome browser traffic."] class action_c2 network %% Connections Section %% Phishing leads to binary proxy execution action_phishing –>|leads_to| proc_sideload %% Proxy execution loads the NIGHTFORGE loader proc_sideload –>|executes| malware_nightforge %% NIGHTFORGE establishes persistence malware_nightforge –>|establishes| action_persistence %% NIGHTFORGE uses KaynLdr for reflective loading malware_nightforge –>|uses| tool_kaynldr %% KaynLdr injects Havoc Demon tool_kaynldr –>|injects| malware_havoc %% Havoc Demon communicates via C2 malware_havoc –>|establishes C2 via| action_c2 "
Attack Flow
Detections
Possible Malicious File Double Extension (via process_creation)
View
Possible Vmtools Dynamic Library Side-Loading Attempt (via image_load)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: Behind Khmer Shadow: Targeted espionage against Cambodian government entities
View
IOCs (SourceIP) to detect: Behind Khmer Shadow: Targeted espionage against Cambodian government entities
View
IOCs (DestinationIP) to detect: Behind Khmer Shadow: Targeted espionage against Cambodian government entities
View
Detection of Khmer Shadow C2 Domain Activity [Windows Network Connection]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has successfully deployed a Havoc Demon implant on a workstation within the target network. To establish Command and Control (C2) and evade basic perimeter defenses, the implant is configured to communicate with a specific set of domains identified in recent threat intelligence regarding Khmer Shadow activity. The implant will initiate an HTTP GET request to
sharingfile.cloudto signal its presence and await further instructions. This action is designed to generate a proxy log entry containing the suspicious domain string. -
Regression Test Script:
# Simulation script to trigger the Khmer Shadow C2 detection rule # This mimics a C2 check-in via an HTTP request to a suspicious domain. $C2_Domain = "http://sharingfile.cloud/api/v1/checkin" $UserAgent = "Havoc-Demon-Implant-v1.0" Write-Host "[!] Initiating simulated C2 communication to: $C2_Domain" -ForegroundColor Red try { # Using Invoke-WebRequest to simulate the network activity # A custom User-Agent is used to mimic a specific tool signature $response = Invoke-WebRequest -Uri $C2_Domain -UserAgent $UserAgent -Method Get -ErrorAction SilentlyContinue Write-Host "[+] Request sent successfully (Note: Failure is expected if domain is sinkholed/offline)." -ForegroundColor Green } catch { Write-Host "[+] Request attempted. Check proxy logs for connection attempt to the suspicious domain." -ForegroundColor Yellow } -
Cleanup Commands:
# No persistent changes made by this simulation. # Clearing the command history to remove traces of the simulation. Clear-History Write-Host "[+] Cleanup complete." -ForegroundColor Green