Wednesday 14 October 16:30 - 17:00, Green room
Subhajeet Singha (Acronis)
In 2026, Acronis Threat Research Unit discovered a new and unidentified APT group, collectively tracked as Khmer Shadow, responsible for two distinct targeted cyber espionage campaigns directed at high-value government institutions in Cambodia. In a significant finding, one of these campaigns includes confirmed targeting of the Information Collection Bureau (ICB) within Cambodia's Ministry of National Defence, the country's primary military intelligence organ, marking a rare instance of a threat actor directly spear phishing named personnel within a Southeast Asian military intelligence bureau. Alongside this, the campaigns also targeted the Ministry of Public Works and Transport, reflecting a broad collection mandate spanning both defence intelligence and strategic infrastructure. The threat actor, assessed with moderate confidence as a Chinese state-sponsored actor, employed precision spear-phishing lures constructed around a fabricated Chinese development and investment persona, with decoy documents referencing real named personnel within the targeted bureaus, including an identified contact at the ICB/MOD. This level of specificity indicates prior reconnaissance and a deliberate, intelligence-driven target selection process consistent with Chinese state collection priorities in Southeast Asia.
Both campaigns delivered a sophisticated custom loader, which we have named NightForge, that executed a multi-stage infection chain culminating in the deployment of a Havoc C2 agent on compromised systems. NightForge reflects significant technical investment, employing multiple layers of defence evasion to ensure stealthy execution on targeted systems. It actively works to neutralize security tooling present on the host before executing the final payload, and uses an encrypted payload stored under a machine-specific filename within a legitimately themed staging directory to hinder both detection and cross-victim correlation. This level of engineering demonstrates the actor's deliberate focus on operational security and long-term access.
This presentation will guide attendees through the entire attack chain across both campaigns, covering the multiple threat vectors employed in each. We will examine technical aspects in depth, from the maturity and evasion capabilities of NightForge to the mechanics of its payload decryption and execution, alongside detailed contextual analysis of the initial spear-phishing lures and decoy documents. We will explore the geographical focus on Cambodian government institutions and the deliberate selection of victims, offering insight into why Cambodia's military intelligence bureau and infrastructure ministry represent high-value targets under Chinese state collection priorities. The discussion will also include OSINT-based perspectives on the threat actor, along with pivoting related to the infrastructure, examining indicators of prior reconnaissance reflected in the precision of lure construction and the naming of specific personnel within targeted bureaus.
Finally, we will delve into the process of hunting the campaign's infrastructure, detailing how pivoting on Havoc C2 artifacts and NightForge delivery chain indicators across both campaigns led to a series of compelling infrastructure discoveries and interconnected pivots, ultimately supporting attribution to a Chinese state-sponsored actor. Attendees will gain a clear understanding of Khmer Shadow's methods, the technical maturity of NightForge, the geopolitical rationale behind target selection, and actionable detection guidance for identifying this threat in their environments.
 |
Subhajeet Singha Subhajeet works around threat intelligence, malware research, and reverse engineering. Subhajeet actively investigates advanced persistent threats (APTs), reverse-engineers complex malware strains, and contributes to research initiatives that improve threat detection. He has previously presented research at Virus Bulletin, FIRST Conference and AVAR, and loves biking occasionally. |
Back to VB2026 conference page
Register your interest for VB2026
