Acronis Threat Research Unit (TRU) has uncovered two targeted espionage campaigns aimed at Cambodian Government entities in the defense and public works sectors, revealing the growing sophistication of cyber operations targeting public institutions across Southeast Asia. Detailed in Acronis’ latest threat research report, the campaigns leveraged a previously undocumented custom loader dubbed NIGHTFORGE to deploy the Havoc Demon malware framework while evading traditional security controls.
According to the report, the threat cluster, tracked by Acronis as Khmer Shadow, used government themed lure documents delivered through self extracting archives masquerading as legitimate files. The attacks employed DLL sideloading techniques using trusted VMware signed binaries to execute NIGHTFORGE, which subsequently decrypted and launched Havoc Demon directly in memory. Researchers observed that both campaigns targeted Cambodian government organisations, including entities linked to defense and military intelligence operations.
TRU researchers identified several advanced defense evasion techniques within the malware chain, including NTDLL unhooking, Hell’s Gate syscall resolution, in-memory payload execution and COM based persistence mechanisms. Despite demonstrating a moderate level of technical sophistication, the operators repeatedly reused infrastructure, payloads and operational methods across campaigns, enabling researchers to identify additional malicious assets and infrastructure linked to the activity cluster.
The report further highlights how threat actors are increasingly blending advanced malware capabilities with trusted software components and legitimate system processes to evade detection and maintain long term access within targeted environments. Acronis assesses with moderate confidence that the activity is espionage motivated and aligned with regional intelligence collection interests in Southeast Asia.
To defend against similar threats, Acronis recommends that organisations strengthen monitoring of trusted applications and software dependencies, implement robust endpoint detection capabilities, continuously assess suspicious persistence mechanisms and maintain proactive threat hunting practices to identify malicious activity before it escalates.
For more information and additional insights, visit:
https://www.acronis.com/en/tru/posts/behind-khmer-shadow-targeted-espionage-against-cambodian-government-entities
