Behind Khmer Shadow: Targeted espionage against Cambodian government entities

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – The campaign began with a suspected phishing email delivering a malicious archive disguised as a PDF attachment (‘suspected spear-phishing email delivering a compressed SFX archive’).
• [T1218.011 ] System Binary Proxy Execution: Rundll32/Related Signed Binary Sideloading – The attackers used VMwareNamespaceCmd.exe to load the malicious vmtools.dll through DLL sideloading (‘Windows automatically loads the malicious DLL before the application begins execution’).
• [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – The legitimate VMware-signed binary loaded attacker-controlled vmtools.dll to execute NIGHTFORGE (‘sideloading vmtools.dll’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Not mentioned directly as a registry key, but persistence was established through an automatically running scheduled task; no registry-based autostart was described, so not applicable.
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence was created by registering a scheduled task named VMwareNamespace (‘register the task under the name “VMwareNamespace”‘).
• [T1106 ] Native API – The loader used direct system calls and Windows APIs such as NtAllocateVirtualMemory, NtWriteVirtualMemory, and NtCreateThreadEx (‘using direct syscalls’).
• [T1027 ] Obfuscated Files or Information – The shellcode was stored encrypted and decrypted with XOR before execution (‘decrypts the encoded shellcode stored on disk’).
• [T1140 ] Deobfuscate/Decode Files or Information – NIGHTFORGE derived an XOR key from the first 8 bytes of the encrypted file and decrypted the payload (‘XORs them against a hardcoded magic value…to derive an 8-byte key’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – NTDLL unhooking removed inline hooks to bypass monitoring (‘used to remove the inline hooks’).
• [T1105 ] Ingress Tool Transfer – The payload was staged from disk and later executed in memory as part of the infection chain (‘decrypts and launches a Havoc Demon payload directly in memory’).
• [T1055.001 ] Process Injection: Dynamic-link Library Injection – The final stage injected code into memory and executed it within a process context (‘injecting it into the current process by allocating RWX memory’).
• [T1036 ] Masquerading – The lure files, task name, and process choices were designed to look legitimate (‘blends in with legitimate VMware entries’).
• [T1091 ] Replication Through Removable Media – Not mentioned in the article; no evidence provided, so not applicable.
• [T1202 ] Indirect Command Execution – The malicious DLL exported a function called by the signed binary to trigger execution (‘execution ultimately passes through VmCheck_IsVirtualWorld’).
• [T1112 ] Modify Registry – Not mentioned in the article; no registry modification was described, so not applicable.