ETDA ThaiCERT
Report
Search
Home > List all groups > Goblin Panda, Cycldek, Conimes

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Goblin Panda, Cycldek, Conimes

NamesGoblin Panda (CrowdStrike)
Cycldek (Kaspersky)
Conimes (Anomali)
1937CN (?)
CountryChina China
MotivationInformation theft and espionage
First seen2013
Description(CrowdStrike) CrowdStrike first observed Goblin Panda activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors.

Malware variants primarily used by this actor include PlugX and HttpTunnel. This actor focuses a significant amount of its targeting activity on entities in Southeast Asia, particularly Vietnam. Heavy activity was observed in the late spring and early summer of 2014 when tensions between China and other Southeast Asian nations were high, due to conflict over territory in the South China Sea. Goblin Panda targets have been primarily observed in the defense, energy, and government sectors.
ObservedSectors: Defense, Energy, Government.
Countries: Cambodia, India, Indonesia, Laos, Malaysia, Myanmar, Philippines, Thailand, USA, Vietnam.
Tools usedBrowsingHistoryView, ChromePass, HDoor, HTTPTunnel, JsonCookies, nbtscan, NewCore RAT, PlugX, ProcDump, PsExec, QCRat, Sisfader, USBCulprit, ZeGhost, Living off the Land.
Operations performedJul 2016A group identifying as Chinese hackers has attacked digital signage screens, overhead announcement systems and airline systems at airports across Vietnam.
<https://www.infosecurity-magazine.com/news/chinese-hackers-attack-airports/>
Sep 2017Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158.
<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations>
2018Attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs.
<https://securelist.com/cycldek-bridging-the-air-gap/97157/>
Information<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>
Playbook<https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html>

Last change to this card: 04 June 2020

Download this actor card in PDF or JSON format

Previous: GhostNet, Snooping Dragon
Next: Gorgon Group

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key