Targeted espionage against Cambodian government entities

June 11, 2026, 2:40 p.m.

Description

Acronis Threat Research Unit identified two espionage campaigns targeting Cambodian government entities in defense and public works sectors, attributed to a cluster tracked as Khmer Shadow. Both campaigns delivered a custom C++ loader named NIGHTFORGE through government-themed lures in self-extracting archives. NIGHTFORGE employs sophisticated evasion techniques including NTDLL unhooking and Hell's Gate syscall resolution to decrypt and execute a Havoc Demon payload in memory. The loader utilizes DLL sideloading through a legitimate VMware-signed binary (VMwareNamespaceCmd.exe) and establishes persistence via COM-based scheduled tasks. Despite advanced technical capabilities, the actor demonstrated poor operational security by reusing identical payloads and infrastructure across targets. The campaigns targeted Cambodia's Information Collection Bureau and Ministry of Public Works and Transport using meeting-themed social engineering lures.

External References

https://otx.alienvault.com/pulse/6a2aa0fe417d1a6f2b89eec1
https://www.acronis.com/en/tru/posts/behind-khmer-shadow-targeted-espionage-against-cambodian-government-entities/
Tags
havoc demon
kaynldr
2026-06-11
khmer shadow
nightforge

Date

  • Created: June 11, 2026, 11:50 a.m.
  • Published: June 11, 2026, 11:50 a.m.
  • Modified: June 11, 2026, 2:40 p.m.

Indicators

  • 1852120a84a328edd1995e633dfd2009867898a8e3f0b385e2490cf21c77a994
  • 15278c52f4e0d8b5bbfe288a5e826ab2ebeaedb7fb85572940cf1263e384761f
  • b3e853eee14fb7948c6907888ee07139085ba9af4231c30e97ff6236b86ca024
  • 90bbfa9e7af176b85d110f4f1789cae6777fcb60813b047133c8f12caa344a17
  • 193.169.240.38
  • www.sharingfile.cloud
Download all indicators here!

Attack Patterns

  • NIGHTFORGE
  • KaynLdr
  • Havoc Demon
  • Khmer Shadow

Additional Informations

  • Defense
  • Government
  • sharingfile.cloud
  • linkednewsapi.top
  • Cambodia