{ "id": "36dc0a02-94ec-450c-84b5-4c4e5c193514", "created_at": "2026-04-06T00:18:06.826628Z", "updated_at": "2026-04-10T13:11:58.705867Z", "deleted_at": null, "sha1_hash": "07abf8d563b06610e15d6e277748aedee6c310d2", "title": "Cycldek: Bridging the (air) gap", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 753276, "plain_text": "Cycldek: Bridging the (air) gap\r\nBy GReAT\r\nPublished: 2020-06-03 · Archived: 2026-04-05 16:33:59 UTC\r\nKey findings\r\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of\r\ninformation on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group\r\nand provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be\r\ndescribed in this publication:\r\nCycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted\r\noperations against governments in Southeast Asia.\r\nOur analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are\r\nactive under a mutual quartermaster.\r\nWe were able to uncover an extensive toolset for lateral movement and information stealing used in targeted\r\nnetworks, consisting of custom and unreported tools as well as living-off-the-land binaries.\r\nOne of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate\r\nvictim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on\r\nphysical presence for the same purpose.\r\nBackground\r\nCycldek is a long-known Chinese-speaking threat actor. Based on the group’s past activity, it has a strong interest in\r\nSoutheast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident\r\nfrom a series of targeted campaigns that are publicly attributed to the group, as outlined below:\r\n2013 – indicators affiliated to the group were found in a network of a technology company operating in several\r\nsectors, as briefly described by CrowdStrike.\r\n2014 – further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations,\r\nmost notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering\r\ncommodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\r\n2017 – the group was witnessed launching attacks using RTF lure documents with political content related to\r\nVietnam, dropping a variant of a malicious program named NewCore RAT, as described by Fortinet.\r\n2018 – attacks have been witnessed in government organizations across several Southeast Asian countries, namely\r\nVietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder,\r\ndeveloped versions of the NewCore RAT malware and other unreported implants. These were the focus of intel\r\nreports available to Kaspersky’s Threat Intelligence Portal subscribers since October 2019, and will be the subject\r\nmatter of this blog post.\r\nFigure 1: Timeline of Cycldek-attributed attacks.\r\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder\r\n(also known as ‘Royal Road’) and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits\r\n(e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 1 of 12\n\na legitimate signed application, usually related to an AV product, e.g. QcConsol – McAfee’s QuickClean utility, and\r\nwsc_proxy.exe, Avast’s remediation service.\r\na malicious DLL which is side-loaded by the former application.\r\nan encrypted binary which gets decrypted and executed by the DLL.\r\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework\r\nnamed PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software\r\nis fully available on Github, allowing attackers to leverage and modify it for their needs.\r\nIn the case of Cycldek, the first public accounts of the group’s usage of NewCore date back to 2017. As described in a blog\r\npost by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files,\r\ntaking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\r\nTwo implants, two clusters\r\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to\r\ndistinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code\r\nand behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\r\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a\r\nresult, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to\r\nprofile their related clusters. Notable characteristics of each cluster’s implant are summarized in the table below.\r\nBlueCore RedCore\r\nInitial Infection\r\nVector\r\nRTF documents Unknown\r\nLegitimate AV\r\nUtility\r\nQcConcol.exe (McAfee’s QuickClean\r\nutility)\r\nwsc_proxy.exe (Avast’s remediation\r\napplication)\r\nSide-Loaded\r\nDLL\r\nQcLite.dll wsc.dll\r\nPayload Loader\r\nstdole.tlb – contains PE loading shellcode\r\nand an encrypted BlueCore binary\r\nmsgsm64.acm -contains PE loading shellcode\r\nand and an encrypted RedCore binary\r\nInjected Process dllhst3g.exe explorer.exe or winlogon.exe\r\nConfiguration\r\nFile\r\n%APPDATA%\\desktop.ini\r\nC:\\Documents and Settings\\All\r\nUsers\\Documents\\desktop.ini or\r\nC:\\Documents and Settings\\All\r\nUsers\\Documents\\desktopWOW64.ini\r\nMutexes\r\nUUID naming scheme, e.g. {986AFDE7-\r\nF299-4A7D-BBF4-CA756FC27208},\r\n{CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F}\r\nUUID naming scheme, e.g. {CB191C19-\r\n1D2D-45FC-9092-6DB462EFEAC6},\r\n{F0062B9A-15F8-4D5F-9DE8-\r\n02F39EBF71FB},\r\n{E68DFA68-1132-4A32-ADE2-\r\n8C87F282C457},\r\n{728264DE-3701-419B-84A4-\r\n2AD86B0C43A3},\r\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\r\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214}\r\nCommunicated\r\nURL Scheme\r\nhttp://%s:%d/link?\r\nurl=%s\u0026enpl=%s\u0026encd=%s\r\nhttp://%s:%d/search.jsp?\r\nreferer=%s\u0026kw=%s\u0026psid=%s\r\nor\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 2 of 12\n\nhttp://%s:%d/search.jsp?\r\nurl=%s\u0026referer=%s\u0026kw=%s\u0026psid=%s\r\nTable 1: Comparison of BlueCore and RedCore loader and implant traits.\r\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run\r\ncode from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of\r\nrandom UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we\r\ncan find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the\r\nfigure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\r\nFigure 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in\r\nyellow in BlueCore is an inlined version of the marked function in RedCore.\r\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This\r\nshellcode, which resides in the files ‘stdole.tlb’ and ‘msgsm64.acm’,  contains a routine used to decrypt the implants’ raw\r\nexecutable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces\r\nof shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they\r\noriginate from a proprietary shared resource.\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 3 of 12\n\nFigure 3: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters.\r\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by\r\nlooking at malware functionality that is unique to one type of implant and absent from the other. The following are examples\r\nof features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were\r\nlikely used by a different entity for different purposes:\r\nKeylogger: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to\r\nan internal buffer of size 65530. When this buffer is filled, data from it is written to a file named ‘RCoRes64.dat’.\r\nThe data is encoded using a single byte XOR with the key 0xFA.\r\nDevice enumerator: RedCore registers a window class intended to intercept window messages with a callback that\r\nchecks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection\r\nof a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a\r\nbitmap with the currently available logical drives to the C\u0026C.\r\nRDP logger: RedCore subscribes to an RDP connection event via ETW and notifies the C\u0026C when it occurs. The\r\ncode that handles this functionality is based on a little-known Github repository named EventCop which is intended\r\nto obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of\r\nprinting the data of the incoming connection, the malware would contact the C\u0026C and inform it about the connection\r\nevent.\r\nProxy server: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts\r\nrequests from non-localhost connections. A firewall exception is made for the process before the server starts\r\nrunning, and any subsequent requests passed from a source to it will be validated and passed on to the C\u0026C in their\r\noriginal format.\r\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C\u0026C\r\nservers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C\u0026C\r\nservers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware\r\ntype were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or\r\ninjected with malicious code. All of the discovered domains were used to download further samples.\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 4 of 12\n\nFigure 4: Difference in URL scheme used by each implant for C2 communication.\r\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each\r\ncluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their\r\nefforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started\r\nout with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number\r\nof detected samples we witnessed downloaded from each cluster of C\u0026Cs, are outlined in the figures below.\r\nFigure 5: Volume of downloaded samples from C\u0026Cs of each cluster by country and month, since mid-2018.\r\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to\r\na single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were\r\ndownloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built\r\nby the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more\r\ncomprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are\r\nsharing multiple resources – both code and infrastructure – and operating under a single organizational umbrella.\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 5 of 12\n\nFigure 6: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further\r\nexamples are provided in the Appendix.\r\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used\r\nfor either lateral movement in the compromised networks or information stealing from infected nodes. There were several\r\ntypes of these tools – some were proprietary and formerly unseen in the wild; others were pieces of software copied from\r\nopen-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\r\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed\r\napplications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and\r\nmcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe)\r\nand Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like\r\napplication allowlisting, grant the malware additional permissions during execution or complicate incident response.\r\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct\r\nmalicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common\r\nbrowsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes),\r\nNbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used\r\nto execute commands remotely in the network, typically used for lateral movement).\r\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to\r\naccommodate particular attack scenarios. The following are several notable examples:\r\nCustom HDoor: an old tool providing full-featured backdoor capabilities like remote machine administration,\r\ninformation theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose,\r\nit was popular in Chinese underground forums for a while and made its way into the APT world in the form of\r\nvariants based on it. One example is the Naikon APT that made use of the original tool.\r\nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal\r\nnetworks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies.\r\nThe tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not\r\nconnected to the internet.\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 6 of 12\n\nFigure 7: Command line usage of the custom HDoor tool.\r\nJsonCookies: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this\r\npurpose, the sqlite3.dll library is downloaded from the C\u0026C and used during execution to parse the database and\r\ngenerate a JSON file named ‘FuckCookies.txt’ containing stolen cookie info. Entries in the file resemble this one:\r\n{\r\n\"domain\": \".google.com\",\r\n\"id\": 1,\r\n\"name\": \"NID\",\r\n\"path\": \"/\",\r\n\"value\": \"%VALUE%\"\r\n}\r\nChromePass: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of\r\nthe parsed database is an HTML document containing a table with URLs and their corresponding stolen username\r\nand password information. This program includes a descriptive command line message that explains how to use it, as\r\noutlined below.\r\nFigure 8: Command line usage of the ChromePass tool.\r\nFormerly Unreported Malware: USBCulprit\r\nOne of the most notable examples in Cycldek’s toolset that demonstrates both data stealing and lateral movement\r\ncapabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants\r\nin several instances, is capable of scanning various paths in victim machines, collecting documents with particular\r\nextensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a\r\nremovable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected\r\nand the executable in them opened manually.\r\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky’s telemetry,\r\nUSBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent\r\naddition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected\r\nUSB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such\r\nfiles and their purpose remains unknown.\r\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper\r\nthat wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a\r\nmalicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 7 of 12\n\nside-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can\r\nbe found in its decrypted form only in memory.\r\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described\r\nimplants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named ‘wrapper.exe’ (originally named\r\n‘PtUserSessionWrapper.exe’ and belonging to Trend Micro) forces the execution of a malicious DLL named\r\n‘TmDbgLog.dll’. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a\r\ncustom PE loader. The full chain is depicted in the figure below.\r\nFigure 9: USBCulprit’s loading flow, as observed in samples after 2017.\r\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\r\nBoostrap and data collection: this stage prepares the environment for the malware’s execution. Namely, it invokes\r\ntwo functions named ‘CUSB::RegHideFileExt’ and ‘CUSB::RegHideFile’ that modify registry keys to hide the\r\nextensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to\r\ndisk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the\r\nmalware makes a single scan to collect files it intends to steal using a function named ‘CUSB::USBFindFile’. They\r\nare sought by enumerating several predefined directories to locate documents with either one of the following\r\nextensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that\r\nenlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\r\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a ‘rar.exe’ command\r\nline utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The\r\npassword for the archive is initialized at the beginning of the malware’s execution, and is set to ‘abcd!@#$’ for most\r\nvariants that we observed.\r\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a\r\ncheck for a file named ‘time’ within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If\r\nthe ‘time’ file doesn’t exist, it is created with the default value ‘20160601000000’ corresponding to 01/06/2016 00:00:00.\r\nUSB connection interception and data exfiltration/delivery: when bootstrapping and data collection is completed,\r\nthe malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive.\r\nThis is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to\r\ncheck all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE,\r\nfurther actions are taken.\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 8 of 12\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing\r\ndata that should be copied locally. To do this, a directory named ‘$Recyc1e.Bin’ will be searched in the drive and if not\r\nfound, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining\r\nthem from it.\r\nTo understand which direction of file copy should take place, a special marker file named ‘1.txt’ is searched locally. If it\r\nexists, the malware would expect to find the aforementioned ‘$Recyc1e.Bin’ directory in the drive with previously stolen\r\ndocument archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory\r\nfrom the disk to the drive.\r\nFigure 10: USBCulprit’s check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or\r\nfrom it.\r\nLateral movement and extension: as part of the same loop mentioned above, the existence of another marker file\r\nnamed ‘2.txt’ will be checked locally to decide if lateral movement should be conducted or not. Only if this file\r\nexists, will the malware’s binary be copied from its local path to the ‘$Recyc1e.Bin’ directory. It’s noteworthy that\r\nwe were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which\r\nleads us to believe the malware is supposed to be run manually by a human handler.Apart from the above,\r\nUSBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for\r\nthe existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not\r\nobtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as\r\nextension modules or updated versions of the malware itself based on their behavior. The former is an archive that is\r\nextracted to a specific directory that has its files enumerated and executed using an internal function named\r\n‘CUSB::runlist’, while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\r\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to\r\nreach and obtain data from air-gapped machines. This would explain the lack of any network communication in the\r\nmalware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed\r\nsome variants issue commands to gather various pieces of host network information. These are logged to a file that is later\r\ntransferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware\r\nwas executed is indeed part of a segregated network.\r\nFigure 11: Commands used to profile the network connectivity of the compromised host.\r\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no\r\nevident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was\r\nexecuted from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that\r\nthe malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a\r\nhuman factor being required to assist deployment of the malware in victim networks.\r\nConclusion\r\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its\r\nactivity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations\r\nshow that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 9 of 12\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already\r\nstated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from\r\ndifferent arms of a single organization. Perhaps it’s worth noting that we noted multiple points where such entities didn’t\r\nwork in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already\r\ninfected with RedCore.\r\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped\r\nnetworks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this\r\ntype of activity has not ceased – it has merely evolved and changed shape, in terms of malware and actors. We continue to\r\ntrack the actor and report on its activity in our Threat Intelligence Portal.\r\nFor more information about Cycldek operations, contact us at: intelreports@kaspersky.com\r\nAppendix – IOCs\r\nNote: a full list of IOCs can be found in our reports on the subject in Kaspersky’s Threat Intelligence Portal.\r\nRedCore:\r\nA6C751D945CFE84C918E88DF04D85798 – wsc.dll (side-loaded DLL)\r\n4B785345161D288D1652C1B2D5CEADA1 – msgsm64.acm (encrypted shellcode and implant)\r\nBlueCore:\r\n1B19175C41B9A9881B23B4382CC5935F  – QcLite.dll (side-loaded DLL)\r\n6D2E6A61EEDE06FA9D633CE151208831 – QcLite.dll (side-loaded DLL)\r\n6EA33305B5F0F703F569B9EBD6035BFD – QcLite.dll (side-loaded DLL)\r\n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\r\nLateral Movement and Info-Stealing Toolset:\r\n1640EE7A414DFF996AF8265E0947DE36 Chromepass\r\n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass\r\n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies\r\n809196A64CA4A32860D28760267A1A8B Custom HDoor\r\n81660985276CF9B6D979753B6E581D34 Custom HDoor\r\nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\r\nUSBCulprit:\r\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader\r\nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader\r\n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader\r\n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader\r\n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader\r\n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader\r\n782FF651F34C87448E4503B5444B6164 USBCulprit Loader\r\n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader\r\nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader\r\n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload\r\n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload\r\nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload\r\nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload\r\n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\r\nToolset overlapping in both clusters:\r\nCommon Name MD5 Blue Cluster Domain Red Cluster Domain\r\nchromepass.exe 1EA07468EBDFD3D9EEC59AC57A490701 http://login.vietnamfar.com:8080 http://news.trungtamwtoa.com\r\ngoopdate.dll\r\nD8DB9D6585D558BA2D28C33C6FC61874 http://cophieu.dcsvnqvmn.com:8080\r\nhttp://mychau.dongnain.com:4\r\nhttp://hcm.vietbaonam.com:44\r\n2E522CE8104C0693288C997604AE0096 http://nghiencuu.onetotechnologys.com:8080\r\nttp://tinmoi.thoitietdulich.com:443\r\nhttp://tinmoi.vieclamthemde.co\r\nhttp://tinmoi.vieclamthemde.co\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 10 of 12\n\nhttp://tinmoi.thoitietdulich.com:53\r\nqclite.dll 7FF0AF890B00DEACBF42B025DDEE8402 http://web.hcmuafgh.com\r\nhttp://tinmoi.vieclamthemde.co\r\nhttp://tintuc.daikynguyen21.co\r\nsilverlightmsi.dat A44804C2767DCCD4902AAE30C36E62C0\r\nhttp://web.laovoanew.com:443\r\nhttp://cdn.laokpl.com:8080\r\nhttp://login.dangquanwatch.com\r\nhttp://info.coreders.com:8080\r\nC\u0026Cs and Dropzones:\r\nhttp://web.laovoanew[.]com – Red Cluster\r\nhttp://tinmoi.vieclamthemde[.]com – Red Cluster\r\nhttp://kinhte.chototem[.]com – Red Cluster\r\nhttp://news.trungtamwtoa[.]com – Red Cluster\r\nhttp://mychau.dongnain[.]com – Red Cluster\r\nhttp://hcm.vietbaonam[.]com – Red Cluster\r\nhttp://login.thanhnienthegioi[.]com – Red Cluster\r\nhttp://103.253.25.73 – Red Cluster\r\nhttp://luan.conglyan[.]com – Red Cluster\r\nhttp://toiyeuvn.dongaruou[.]com – Red Cluster\r\nhttp://tintuc.daikynguyen21[.]com – Red Cluster\r\nhttp://web.laomoodwin[.]com – Red Cluster\r\nhttp://login.giaoxuchuson[.]com – Red Cluster\r\nhttp://lat.conglyan[.]com – Red Cluster\r\nhttp://thegioi.kinhtevanhoa[.]com – Red Cluster\r\nhttp://laovoanew[.]com – Red Cluster\r\nhttp://cdn.laokpl[.]com – Red Cluster\r\nhttp://login.dangquanwatch[.]com – Blue Cluster\r\nhttp://info.coreders[.]com – Blue Cluster\r\nhttp://thanhnien.vietnannnet[.]com – Blue Cluster\r\nhttp://login.diendanlichsu[.]com – Blue Cluster\r\nhttp://login.vietnamfar[.]com – Blue Cluster\r\nhttp://cophieu.dcsvnqvmn[.]com – Blue Cluster\r\nhttp://nghiencuu.onetotechnologys[.]com – Blue Cluster\r\nhttp://tinmoi.thoitietdulich[.]com – Blue Cluster\r\nhttp://khinhte.chinhsech[.]com – Blue Cluster\r\nhttp://images.webprogobest[.]com – Blue Cluster\r\nhttp://web.hcmuafgh[.]com – Blue Cluster\r\nhttp://news.cooodkord[.]com – Blue Cluster\r\nhttp://24h.tinthethaoi[.]com – Blue Cluster\r\nhttp://quocphong.ministop14[.]com – Blue Cluster\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 11 of 12\n\nhttp://nhantai.xmeyeugh[.]com – Blue Cluster\r\nhttp://thoitiet.yrindovn[.]com – Blue Cluster\r\nhttp://hanghoa.trenduang[.]com – Blue Cluster\r\nSource: https://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nhttps://securelist.com/cycldek-bridging-the-air-gap/97157/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://securelist.com/cycldek-bridging-the-air-gap/97157/" ], "report_names": [ "97157" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434686, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07abf8d563b06610e15d6e277748aedee6c310d2.pdf", "text": "https://archive.orkl.eu/07abf8d563b06610e15d6e277748aedee6c310d2.txt", "img": "https://archive.orkl.eu/07abf8d563b06610e15d6e277748aedee6c310d2.jpg" } }