Cycldek is known for the active targeting of governments in Southeast Asia, and their preference for targets in Vietnam also known to be goblin panda

The group last year revealed to have used a piece of custom malware to exfiltrate data from air-gapped systems, a clear sign of evolution for a group considered less sophisticated. The more recent attacks, Kaspersky says, show further increase in sophistication.

The campaign relied on an infection chain that used DLL side-loading to deliver malicious code that would eventually deploy a remote access Trojan (RAT) to provide the attackers with full control over compromised machines.

As part of an attack against a high-profile Vietnamese organization, a legitimate component from Microsoft Outlook was being abused to load a DLL that would run a shellcode that was acting as a loader for the FoundCore RAT.

Once deployed, the malware would start four processes: one to establish persistence as a service, the second to hide the first process, the third to prevent access to the malicious file, and the fourth to establish connection to the command and control (C&C) server.

FoundCore provides the threat actor with full control over the victim machine. The malware includes support for a variety of commands, allowing for file system manipulation, process manipulation, execution of arbitrary commands, and screenshot grabbing. Other malware delivered as part of the attacks are DropPhone and CoreLoader.

According to the telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals.