ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Goblin Panda, Cycldek, Conimes

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Goblin Panda, Cycldek, Conimes

NamesGoblin Panda (CrowdStrike)
Cycldek (Kaspersky)
Conimes (Anomali)
1937CN (?)
CountryChina China
MotivationInformation theft and espionage
First seen2013
Description(CrowdStrike) CrowdStrike first observed Goblin Panda activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors.

Malware variants primarily used by this actor include PlugX and HttpTunnel. This actor focuses a significant amount of its targeting activity on entities in Southeast Asia, particularly Vietnam. Heavy activity was observed in the late spring and early summer of 2014 when tensions between China and other Southeast Asian nations were high, due to conflict over territory in the South China Sea. Goblin Panda targets have been primarily observed in the defense, energy, and government sectors.
ObservedSectors: Defense, Energy, Government.
Countries: Cambodia, India, Indonesia, Laos, Malaysia, Myanmar, Philippines, Thailand, USA, Vietnam.
Tools used8.t Dropper, BlueCore, BrowsingHistoryView, ChromePass, CoreLoader, DropPhone, FoundCore, HDoor, HTTPTunnel, JsonCookies, nbtscan, NewCore RAT, PlugX, ProcDump, PsExec, QCRat, RedCore, Sisfader, USBCulprit, ZeGhost, Living off the Land.
Operations performedJul 2016A group identifying as Chinese hackers has attacked digital signage screens, overhead announcement systems and airline systems at airports across Vietnam.
Sep 2017Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158.
2018Attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs.
Jun 2020The leap of a Cycldek-related threat actor

Last change to this card: 15 May 2021

Download this actor card in PDF or JSON format

Previous: GhostNet, Snooping Dragon
Next: GoldenJackal

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]