Cyber Threat Actor: Cycldek
| Actor Type | Location | Known Incidents |
Spy
|
China
|
0 incidents |
|---|
Profile
Cycldek, also known as Goblin Panda and Conimes, is a China-linked cyber-espionage group that has been active since at least 2013. The group is recognized for its focus on targeting government and military entities in Southeast Asia, with a demonstrated preference for organizations in Vietnam. According to reporting from Kaspersky, Cycldek's activities have shown increasing sophistication over time, particularly in campaigns observed between mid-2020 and early 2021. The group's strategic objective appears to be espionage, as evidenced by its efforts to exfiltrate sensitive data from compromised systems.
Cycldek primarily targets sectors including government, military, health, diplomacy, education, and political organizations in Vietnam, which constituted approximately 80% of the victims in their recent campaign. The group has also occasionally targeted entities in Central Asia and Thailand, indicating a broader regional interest beyond Vietnam. This targeting pattern aligns with the group's established focus on Southeast Asian governmental institutions as a core aspect of their operations. The group's activities are consistently described as cyber-espionage in available sources, reflecting an intent to gather intelligence rather than pursue financial gain or disruptive outcomes.
The group's infection chain frequently employs DLL side-loading as an initial access vector, where legitimate software components are abused to load malicious code. In one observed technique, a legitimate component from Microsoft Outlook was manipulated to load a DLL that executed shellcode acting as a loader for the FoundCore remote access Trojan. Once deployed, FoundCore establishes multi-process functionality to maintain persistence, conceal its activities, prevent file access, and establish command and control communication. The malware provides attackers with comprehensive control over victim systems, enabling file system manipulation, process manipulation, arbitrary command execution, and screenshot capture. Additional malware variants delivered in these campaigns include DropPhone and CoreLoader, expanding the group's post-exploitation capabilities. Furthermore, Cycldek has demonstrated the ability to develop custom tools for specialized operations, such as the malware used to exfiltrate data from air-gapped systems in a 2019 incident.
While explicitly described as China-linked in public reporting, the available sources do not specify whether Cycldek operates under direct state sponsorship or as a criminal entity with tacit government approval. The group's consistent targeting of governmental and military targets in regions of strategic interest to China supports assessments of its alignment with Chinese intelligence objectives. However, without explicit attribution statements from governmental or intelligence agencies in the provided materials, the precise nature of any state affiliation remains as characterized by the China-linked designation.
Representative operations attributed to Cycldek include a 2019 campaign where custom malware was used to breach air-gapped systems and exfiltrate data, highlighting the group's technical adaptability. A more recent operation spanning from June 2020 to January 2021 demonstrated increased sophistication through the use of DLL side-loading techniques to deploy the FoundCore RAT across dozens of Vietnamese government and military organizations. These campaigns collectively illustrate Cycldek's evolution in tradecraft and its persistent focus on espionage targets within Southeast Asia.
