Cyber Incident Victim: Cambodian Government Organization

Between December 2018 and January 2019, the cyber espionage group known as Rancor conducted targeted attacks against Cambodian government officials. This activity followed Unit 42’s initial disclosure of Rancor’s operations in June 2018, which documented the group’s campaigns across Southeast Asia from 2017 through 2018. The attackers employed spear-phishing emails containing malicious documents disguised as legitimate files to compromise targets. When recipients enabled document content, weaponized Excel macros executed Dudell malware, initiating a multi-stage infection process. This malware leveraged msiexec.exe to download secondary payloads from attacker-controlled infrastructure.

The campaign utilized three custom malware families to establish persistence and maintain access. Dudell served as the initial downloader, while DDKONG functioned as a remote access Trojan (RAT) that created hidden windows to evade detection before communicating with command-and-control (C2) servers at cswksfwq.kfesv.xyz and connect.bafunpda.xyz. The third malware family, Derusbi, operated as a backdoor Trojan requiring decryption keys for activation and modified Windows registry entries to ensure persistence. Security researchers identified these tactics through analysis of attack artifacts and network traffic patterns. Defensive measures included updates to threat prevention platforms to detect malware variants and block communications with the identified C2 domains. The incident demonstrated Rancor’s continued focus on Southeast Asian governmental entities through refined malware tooling and social engineering techniques.