{ "id": "254c22a7-9949-4a78-becb-6dcbdfb6501b", "created_at": "2026-04-06T00:16:52.725683Z", "updated_at": "2026-04-10T03:37:19.356986Z", "deleted_at": null, "sha1_hash": "1075c23e31806d2f3f9456817c8a58f81c5836cc", "title": "02/12/2020 - Goblin Panda APT: Recent infrastructure and RAT analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1539315, "plain_text": "02/12/2020 - Goblin Panda APT: Recent infrastructure and RAT\r\nanalysis\r\nBy MELTX0R\r\nPublished: 2020-02-12 · Archived: 2026-04-05 13:29:29 UTC\r\nSummary\r\nGoblin Panda (also known as Hellsing, Cycledek, and likely other names due to non-standardized naming\r\nconventions in security) is a group has been active for the better part of the last decade, and has historically had\r\ninformation theft and espionage related motives that align with Chinese interests. Their targets have primarily\r\nbeen defense, energy, and government organizations located in South/Southeast Asia, with emphasis on\r\nVietnamese targeting. Within this analysis I review artifacts that exhibit behavior consistent with past Newcore\r\nRAT samples, which have been attributed to the GoblinPanda APT group.\r\nWhile reviewing suspected dropper files, I came across an interesting document titled “Bao Cao Su Kien Dong\r\nTam.doc”, which translates to “Report the Dong Tam event” in Vietnamese. This document was created on 01-10-\r\n2020 at 08:31:00, and purported to contain information about a recent controversy regarding land disputes\r\nbetween the Vietnamese government and the locals of Dong Tam (a rural commune located in Hanoi, Vietnam).\r\nWhile this is not the first time tensions were high between Dong Tam locals and the Vietnamese government, the\r\ntiming of the most recent events and the document creation date is quite suspect, with the most recent dispute\r\noccurring on 01-09-2020 - the day prior to the document creation.\r\nhttps://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html\r\nPage 1 of 6\n\nShown above: Recent news headlines about Dong Tam village (source)\r\nUpon opening the document, CVE-2017-11882 is silently executed in the background. CVE-2017-11882, which\r\nwas patched by Microsoft in November of 2017, is a memory corruption vulnerability which grants the attacker\r\nRCE (remote code execution) upon the user opening a specially crafted file (see here for the Microsoft advisory).\r\nhttps://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html\r\nPage 2 of 6\n\nShown above: Suspected Goblin Panda APT Lure “Bao Cao Su Kien Dong Tam.doc”\r\nFollowing exploitation, an embedded object “wd32PrvSE.wmf” is dropped to the user’s local temp directory, and\r\nsubsequently executed. Wd32PrvSE.wmf then drops three files to the user’s local temp directory - QcConsole.exe,\r\nQcLite.dll, and stdole.tlb. While QcConsole.exe appears to be a valid and signed file belonging to McAfee, Inc. the\r\nother two dropped files (QcLite.dll and stdole.tlb) have less than benevolent intentions.\r\nIt should be noted that, at the time of this writing, the document, wd32PrvSE.wmf, QcLite.dll, and stdole.tlb have\r\nvery low or nonexistent detection rates of only 15/58 (document), 0/56 (WMF), 3/68 (DLL), and 0/56 (TLB) on\r\nVirusTotal, respectively.\r\nQcConsole.exe is then executed, and loads QcLite.dll. QcLite.dll will then establish persistence via an autorun\r\nregistry key named “Windows HD Audio Manager”, drop a file titled “desktop.ini” to the C:\\ProgramData\\\r\ndirectory containing obfuscated data, and load the contents of stdole.tlb to memory, and decrypt it, resulting in\r\nexecutable data.\r\nDllhst3g.exe, a legitimate Windows binary, is then started in a suspended state, injected with the executable data\r\nextracted from stdole.tlb, and is subsequently resumed. The compromised dllhst3g.exe then decodes the contents\r\nof the previously dropped “desktop.ini” file, which directs it to the location of QcConsol.exe, and QcConsol.exe is\r\nexecuted for a second time.\r\nhttps://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html\r\nPage 3 of 6\n\nShown above: Execution graph\r\nCommand \u0026 Control communications are then initiated via the secondary QcConsol.exe process to the URLs\r\n“hxxp://club[.]baclieuvn[.]com:8080/link?url=maOVmKGmMDU1\u0026enpl=OXco\u0026encd=XARIZTE=” and\r\n“hxxp://club[.]baclieuvn[.]com/link?url=maOVmKGmMDU1\u0026enpl=OXco\u0026encd=XARIZTE=”. While this\r\ndomain currently resolves to the Singapore IP Address 103.253.25[.]15, none of the C2 requests received a\r\nresponse. This may be due to the infrastructure being burnt or specific geolocation requirements.\r\nhttps://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html\r\nPage 4 of 6\n\nShown above: Packet capture of suspected Newcore RAT C2\r\nAlthough I was unable to obtain additional C2 communications, the activity observed in relation to the dropped\r\nartifacts is very reminiscent of Newcore Remote Access Trojan. Furthermore, the targeted nature of the\r\nweaponized document, in addition to the apparent targeting of Vietnamese individuals, is quite suspect. While this\r\nisn’t conclusive evidence that Goblin Panda is responsible for this sample, the similarities between it and other\r\nconfirmed Newcore RAT samples, in addition to the fact that Vietnam has historically been targeted by Goblin\r\nPanda, is telling.\r\nIndicators\r\nIndicator Type Description\r\nclub.baclieuvn.com Domain\r\nNewcore RAT Command \u0026\r\nControl server\r\n103.253.25.15\r\nIP\r\nAddress\r\nIP Address hosting\r\nNewcore RAT Command \u0026\r\nControl server\r\n“baclieuvn.com”\r\n/link?url=maOVmKGmMDU1\u0026enpl=OXco\u0026encd=XARIZTE= URI\r\nNewcore RAT Command \u0026\r\nControl URI Pattern\r\n/link?\r\nurl=maOVmKGmMDU1\u0026enpl=JWAsBQ==\u0026encd=XARIZTE=\r\nURI\r\nNewcore RAT Command \u0026\r\nControl URI Pattern\r\ne9ba8cc1119dc4a972d0d363edcc0101 MD5\r\nBao cao su kien Dong\r\nTam.doc - suspected Goblin\r\nPanda dropper\r\n42c1a3a74cec2dc4a1c1a7a10d9d14e4 MD5 QcLite.dll\r\n6d1876c07d176185dc61310b9aa510fe MD5 stdole.tlb\r\n7edeb624f2fef843ed26f24f3dd01a3f MD5 wd32PrvSE.wmf\r\nhttps://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html\r\nPage 5 of 6\n\nReferences/Further Reading\r\n1. https://www.fortinet.com/blog/threat-research/cta-security-playbook–goblin-panda.html\r\n2. https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6\r\n3. https://app.any.run/tasks/b64134d1-b809-4ff8-bcb0-91c18425c541/\r\n4. https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf\r\n5. https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/\r\n6. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/\r\n7. https://www.bbc.com/news/world-asia-51105808\r\nSource: https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html\r\nhttps://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html\r\nPage 6 of 6\n\n42c1a3a74cec2dc4a1c1a7a10d9d14e4 6d1876c07d176185dc61310b9aa510fe MD5 MD5 QcLite.dll stdole.tlb\n7edeb624f2fef843ed26f24f3dd01a3f MD5 wd32PrvSE.wmf\n Page 5 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html" ], "report_names": [ "goblin-panda-apt.html" ], "threat_actors": [ { "id": "78090a48-ca66-4cd8-a454-04d947e9c887", "created_at": "2023-01-06T13:46:38.303662Z", "updated_at": "2026-04-10T02:00:02.919567Z", "deleted_at": null, "main_name": "Hellsing", "aliases": [], "source_name": "MISPGALAXY:Hellsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434612, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1075c23e31806d2f3f9456817c8a58f81c5836cc.pdf", "text": "https://archive.orkl.eu/1075c23e31806d2f3f9456817c8a58f81c5836cc.txt", "img": "https://archive.orkl.eu/1075c23e31806d2f3f9456817c8a58f81c5836cc.jpg" } }