Cyber Incident Victim: Government and Military Entities in Vietnam

China-linked cyber-espionage group Cycldek, also known as Goblin Panda and Conimes, conducted a campaign targeting Vietnamese government and military entities between June 2020 and January 2021. The group, active since at least 2013, had historically focused on Southeast Asian governments but demonstrated increasing technical sophistication in this operation. Attackers employed an infection chain leveraging DLL side-loading to deliver malicious payloads, ultimately deploying the FoundCore remote access Trojan (RAT) on compromised systems. During an attack against a high-profile Vietnamese organization, threat actors abused a legitimate Microsoft Outlook component to load a malicious DLL. This DLL executed shellcode acting as a loader for FoundCore, which established persistence through multiple coordinated processes: one creating a service for persistence, another hiding that service, a third blocking access to malicious files, and a fourth connecting to command-and-control infrastructure.

The FoundCore RAT provided attackers with comprehensive control over infected machines, enabling file system manipulation, process execution, arbitrary command execution, and screenshot capture capabilities. Additional malware families including DropPhone and CoreLoader were deployed alongside FoundCore during the campaign. Kaspersky telemetry indicated dozens of affected organizations, with approximately 80% located in Vietnam across government, military, health, diplomatic, educational, and political sectors. Secondary targets included entities in Central Asia and Thailand. The incident represented a continuation of Cycldek's focus on Vietnamese targets following earlier campaigns, including a 2019 operation where the group deployed custom malware to breach air-gapped systems. No specific remediation actions or victim responses were detailed in available reporting.