Cybersecurity researchers have uncovered a sophisticated espionage campaign targeting Cambodian government institutions. Attackers are leveraging a legitimate, VMware-signed binary to deploy a custom loader named NIGHTFORGE, effectively evading detection mechanisms.
The operation, dubbed “Khmer Shadow,” focuses on intelligence gathering from defense and public infrastructure sectors in Cambodia. This suggests the involvement of a well-resourced threat actor with a strategic interest in Southeast Asia.
According to Acronis Threat Research Unit (TRU), the campaign employs DLL sideloading by using VMware’s signed executable, VmwareSampling.exe, to load malicious code. This method allows the malware to operate under the guise of trusted software, thereby bypassing security defenses.
The attack initiates with a phishing email containing a compressed archive. Within this archive are a government-themed document, the VMware executable, and a malicious DLL. When the executable is launched, it sideloads the DLL, which acts as the NIGHTFORGE loader.
NIGHTFORGE employs advanced evasion techniques, including NT DLL unhooking to remove security monitoring hooks and the HellsGate method to resolve system call numbers at runtime. These tactics enable the loader to decrypt and inject the Havoc Demon payload directly into memory, leaving minimal traces on disk.
Havoc Demon, an open-source post-exploitation framework, is commonly used in red team operations but is increasingly being exploited in real-world attacks.
This campaign underscores the growing trend of threat actors abusing legitimate, signed binaries to deploy malware. Organizations must remain vigilant, ensuring that even trusted applications are monitored for unusual behavior to mitigate such sophisticated threats.
Source: Cyber Security News
