Recent cybersecurity investigations have revealed a sophisticated cyberespionage campaign attributed to a Chinese-speaking hacking group targeting various government and military institutions in Vietnam. The threat has been tentatively linked to the advanced persistent threat (APT) group known as Cycldek, also recognized as Goblin Panda or Hellsing, notorious for its spear-phishing tactics and strategic intrusions since at least 2013.
The attacks were documented between June 2020 and January 2021 and employed a technique known as DLL side-loading. This method facilitates the execution of shellcode that subsequently decrypts a malicious payload referred to as “FoundCore,” indicating a troubling advancement in the attackers’ sophistication.
Kaspersky’s research highlights how this technique of DLL side-loading leverages legitimate software to mask malicious activities, a tactic that has seen widespread use among threat actors to circumvent antivirus defenses. In this scenario, a legitimate Microsoft Outlook component loads a rogue library named “outlib.dll,” which manipulates the program’s execution flow to decode and execute malicious shellcode housed in a binary file.
The malware not only offers the attackers enhanced control over compromised systems but also incorporates protective measures against security analysis, complicating reverse-engineering efforts. Notably, much of the payload’s header has been obscured, leaving only unintelligible values behind.
This development signals a significant evolution in tactics among adversaries in the region, as indicated by Kaspersky’s findings. The malware FoundCore is capable of executing a range of commands, including file system and process manipulation, taking screenshots, and executing arbitrary commands. Investigations have also uncovered two additional malware strains associated with FoundCore: DropPhone, which collects and exfiltrates system information, and CoreLoader, designed to inhibit detection by security measures.
Cybersecurity experts hypothesize that the campaign likely commenced with a spear-phishing effort or other initial attack vectors prompting the download of deceptive RTF documents from malicious domains, culminating in the deployment of FoundCore. Among the impacted organizations, around 80% are based in Vietnam, primarily within the government and military sectors, as well as sectors related to health, diplomacy, education, and politics; additional victims have been identified in Central Asia and Thailand.
The analysis concludes that the implications of this campaign reach beyond localized threats. As noted by Kaspersky’s senior security researcher Mark Lechtik, the advancements in obfuscation techniques could foreshadow a more extensive reach, enabling the FoundCore malware to spread into broader geographic regions in the future.
Cybersecurity professionals should remain vigilant regarding these threats, keeping abreast of the tactics outlined in the MITRE ATT&CK framework, which include initial access through spear-phishing, persistence via DLL side-loading, and potential privilege escalation associated with malicious payload execution.
