{ "id": "45791869-90e1-4a2e-95b0-129be6be0ef3", "created_at": "2026-04-06T00:19:27.049156Z", "updated_at": "2026-04-10T03:37:19.304506Z", "deleted_at": null, "sha1_hash": "28458032a40b50f350e89714c3f22e0581cd243c", "title": "CTA Adversary Playbook: Goblin Panda", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59296, "plain_text": "CTA Adversary Playbook: Goblin Panda\r\nBy FortiGuard SE Team\r\nPublished: 2018-11-01 · Archived: 2026-04-05 12:55:23 UTC\r\nAdversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as\r\nGoblin Panda as part of its role in the Cyber Threat Alliance. For more information regarding this series of\r\nadversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.\r\nActive since 2014, Goblin Panda is a threat actor that is focused on interests in Southeast Asia. Goblin Panda has\r\nbeen documented by various organizations, including Fortinet, over the past several years. Due to non-standardized naming conventions within the industry, Goblin Panda is also known as APT 27, Hellsing, Cycledek,\r\nand perhaps 1937CN. Goblin Panda is primarily active in South and Southeast Asia, with activity seen primarily\r\nin Cambodia, Indonesia, Philippines, Myanmar, Malaysia, Thailand, and Vietnam. India has also been targeted in\r\nthe past, albeit in limited numbers.\r\nNot much has been documented on this group for various reasons. This is primarily due the fact that its tactics,\r\ntechniques, and procedures have evolved over the years, and also because rather than engaging in the sort of\r\nbroad-brush attacks most cybercriminal gangs engage in, their targets and campaigns have been quite specific in\r\nnature. We hope that the information contained within our playbook is informative for responders who encounter\r\none of their attacks, or for anyone interested in Goblin Panda.\r\nOverview\r\nFavorite methodologies of Goblin Panda include the use of remote access Trojans, including the infamous\r\nPlugX/Korplug, NewCore, and Sisfader RAT tools. Distribution of infected samples are often used by attackers\r\nsuch as Goblin Panda through weaponized Microsoft Office documents containing malicious macros, or by\r\nexploiting known vulnerabilities—most recently CVE-2012-0158 and CVE-2017-11882. Even though CVE-2012-\r\n0158 is over five years old, attackers are quite aware that many organizations, especially up and coming\r\norganizations in developing areas of the world, do not follow a regular patching schedule for various reasons, such\r\nas lack of resources or awareness, and therefore remain vulnerable to know exploits for long periods of time.\r\nMethodology\r\nObserved instances of Goblin Panda activity have generally started with a spearphishing attacks via a maliciously\r\ncrafted Microsoft Office document. When the document is opened by the victim, various files are dropped into\r\ndifferent locations of the victim’s PC. Dropped files include legitimate software vendor files, an encrypted binary\r\nblog containing the payload, and DLL files containing the decryptor and loader for the payload.\r\nDuring the installation of the malware, a DLL hijacking technique to evade traditional antivirus detections is used\r\nwhereby a variety of legitimate DLL files from different vendors are hijacked using a Trojanized version of a\r\nmalicious DLL file. Once the malicious DLL file is side loaded, it then downloads the Trojan downloader, which\r\nin turn sets a run key in the registry for persistence. Typically, a legitimate program requires libraries to properly\r\nhttps://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html\r\nPage 1 of 5\n\nexecute. DLL sideloading/hijacking attacks makes the legitimate program think it is loading the correct DLL,\r\nwhen in reality it is loading the malicious DLL instead. Finally, it also checks to determine if it is running in a VM\r\nenvironment.\r\nOnce it is finished with those tasks, it then sends various parameters to a C2 server, including:\r\n·       OS version\r\n·       Processor speed\r\n·       Number of processors\r\n·       Physical memory size\r\n·       Computer name\r\n·       User name\r\n·       User privilege\r\n·       Computer IP address\r\n·       Volume serial number\r\nWhen all of those parameters are deemed ok, it then downloads a payload. In most recent cases, that payload has\r\nbeen the NewCore RAT (Korplug/Plugx and Sisfader were seen in prior campaigns). The NewCore RAT is a\r\nmalicious DLL file. However, executing the DLL without using the downloader will not work as the C\u0026C server\r\nstring is not embedded within the DLL file. Based on the strings found in its body, this malware may have been\r\nderived from the PcClient and PcCortr backdoors whose source codes are publicly available, especially on\r\nChinese language coding forums.\r\nNewCore RAT has the following attributes:\r\n·       Copy files\r\n·       Delete files\r\n·       Execute files\r\n·       Search files\r\n·       Download files\r\n·       Upload files\r\n·       Retrieve disk list\r\n·       Retrieve directory list\r\n·       Retrieve file information\r\nhttps://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html\r\nPage 2 of 5\n\n·       Retrieve disk information\r\n·       Rename files\r\n·       Screen monitoring\r\n·       Start command shell\r\n·       Shutdown/Reboot\r\nWe have also encountered several new NewCore RAT samples that may have been used by the Goblin Panda\r\nthreat actors. However, due to time constraints we were unable to analyze them further to see if there is an\r\nabsolute connection to the threat actor group. The following IOCs have been provided for information purposes.\r\nPlease see the Indictors of Compromise section below for further details, along with our playbook viewer, which\r\ncontains the tactics and techniques defined by the Mitre ATT\u0026CK knowledge base.\r\nFor a detailed technical overview, read our previous blog: Rehashed RAT Used in APT Campaign Against\r\nVietnamese Organizations\r\nIndicators of Compromise\r\nAll samples (IOCs) have been provided in good faith. These samples had not been analyzed at the time of\r\npublication due to time restrictions. As a result, there are no guarantees made about the samples below with\r\nrespect to Goblin Panda or any attributions to any threat actor.\r\n(NewCoreRat Samples)\r\n9d4ffae7a398a3aef1cef30da784ded0764c50099d3891291f4688aec35fe48\r\n1d8ad2bf967aff93c713a729d5e9447700a236bde1af616bbe6f51e21bdad8c5\r\n3720c608b82dc52f2f6099bd0d6b30701c8689f5ae6e8249f7a04964b2970ec4\r\n59462ce5c9fccf55efade4784d9ef995905260df1c649894c5500702f46ea4f4\r\n8930c8ca404ffbfe969c0d8efd6d2fce352e584a78bf11fb80ed3a0d35c06eeb\r\n8a14b3a3d9da0ea72e40c48ac6fd29bf1c3427917d8ceeb0b81ff7aa1924f68b\r\na8efd9835cdd2cff2cdca61039f4d62990d4109f794e25d84250a0738d5f25de\r\naf1d44b272cb2650f525879e772817f5bb4bf823c36a6e1f5c842f2fcc749930\r\naf5301411e507dc142e671fc9a42f2fe32959add3a81fce2742dbf90536eebbd\r\ncb5e090a867e76214897efcb55a7d8908a36e874229c508ad97c0ebc437d79d8\r\nde42dcc2f9094efbd37d65821992865eab1ef9b66e83c76f3fc8c1a800b54350\r\nf910c0b18b5af4359e7354475add9f622aa92f945739a1c3b3bfc3704a037561\r\nhttps://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html\r\nPage 3 of 5\n\nfce7a763c05711bc0ba110ed23651c0f18aceddae5ada6e8042a2664a35d18ec\r\ne5a170755ab090e944d1d24faef67ae1f80bac847f2a501937c9f03b888615c8\r\na270058cef51b49905d7ceb3df7b8b5bb7b60ebfb5099d8b177dc19a2064145c\r\nc9fb110ec68fd7fde1b72c5d92be5f6f03559d11a5d863e2179ebecc8fce2aee\r\n5cef63d737153624211a6c408ef6b9ae008837f54f0ba44cbaefa57d8fde34f8\r\nc8f19e0f7bbb63919df67f93d3c334e9564bf3aea910951d9ba644ae30783439\r\n79ede3b7133d9edef0c14a6c8914113f7cfe2e45f76d216efbf1fc731f46e561\r\n32946f137deb4d2abb7c71c021984e0d5364b6ee80560e09de133d8c11a5cf72\r\nc299841e17b621db7a386c24f426a0a74912758b19ecfc368fabc8fb4742ab9c\r\nc1b9d0639d416232995d5eef2515c9d9be0f694e67b1136d7c5d37ca2af2dacd\r\n471c075d5e3c9cb009fa6ef1f8ec9c0ecf61251b4dab6eea161abec6935272bf\r\n5e488198c47befc49a08fec6f19c3c7d8e0e955589465d4e83ba87b46b3d80df\r\n22b0f774379c0e28211ffb53722d8cd5727da8e02aada3507be81d888864770f\r\nb88cd263828b9856c1cee7eeecdd6da22eb9c892cbbd38c5bdab284f2a007582\r\n79ede3b7133d9edef0c14a6c8914113f7cfe2e45f76d216efbf1fc731f46e561\r\n8023c060d49479466b6595c72f07d89a6e598b8bde6805cdffcc52d1169d0304\r\ne7def95e889704343557431aa30914faafeb5318bb2f0f6e7a00c6b319a5edd7\r\nc9b96665e6962ccb47fb9963c3db6b0d9aebaedf717c42ac6ba321d7981dd69e\r\n78ce3dcbe9b828b9be0c1a74757eb8f32052db171cde2f2e2fe897a8096f1140\r\n8485d9ecfa94f3cd316057c97e13629973b7e110bdee288087f98338b67d8b48\r\ndacb62e6a86a4ecd4f8f5e1685de018258b36372bad5d58bc9745725e2d04f8f\r\n195ffc2123b3e601f36698584c032c6e429d4d20ea9bcc66ee7f8e4918c9106e\r\n1185b1b983908f39d6885329e83f6349683716f9d056f56a22a86d8014cf0aac\r\n471a980082a9fd1dfc66d068a4658df3b8e9552edac55e14622bd59e3093fd8d\r\nd28ce94db53318bf951adf3a60af74ca6924291274f5474ae7bd77cbbeef581a\r\n2b73a808c9a9b12f807c2282e30858acdcb6251e040c97c37037e78af1e99b3b\r\nhttps://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html\r\nPage 4 of 5\n\nbceaf0be831e0a633ec204c70800a6827e0a9871167e812a6331b09c70c81a12\r\ndb4085acc3de63994186425d11c354879527ddd448a9f2cf5f830855d2c8257b\r\ndf46fe83dab8fc1c4cfcff9b75d3ebf3b7390db6ebff09b74cb3c485300e8a78\r\n79b57b487ea7e5dc6276a9028584a7fcc015a547c1ec221f10314ecec8a384fc\r\n1cb80eed2cd06aa0a419f808e05efc29e5c63c3c6134b2f4d8b36fd2aeb49887\r\n14daa0e0db8759568e5d49986d12ae8a1289efd308bdd41634448be543dd7c76\r\n6b7dbf0a03b0e41a327bd7de2e26645a220465d7be68e8c3c70b8a1da534adcf\r\n9fa5cc69aaa023a54ee7497b0f04b8d90960b276427d870b1782fb524d20c535\r\nca0e90a60c21bff48c02a17f73023c8813f5ddf0c9231878c6ade4c8e6ad8a1c\r\na65e0ef3d70bd891f0d077972fb86652bbb4132b276504cdd1b75882523bcf30\r\ne5a31524fc95da517342bd1accc783e088fed42db33cb9caf7b60a39918ebdc2\r\na65e0ef3d70bd891f0d077972fb86652bbb4132b276504cdd1b75882523bcf30\r\n281f3ce73e434f7616ce1600e0d6cab335ecdff2778dac0f916cc0e65224a753\r\nb93b7ad0e27d95665b699c3f6cf49129cff410555defd2c56cd3ec8a112bf1c9\r\nRead and learn more about the Cyber Threat Alliance (CTA).\r\nSign up for our weekly FortiGuard Threat Brief.\r\nKnow your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can\r\nhelp you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and\r\nPerformance.\r\nSource: https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html\r\nhttps://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html" ], "report_names": [ "cta-security-playbook--goblin-panda.html" ], "threat_actors": [ { "id": "f21d7691-a720-46bb-81d7-11edb9f73eba", "created_at": "2023-11-08T02:00:07.126478Z", "updated_at": "2026-04-10T02:00:03.420826Z", "deleted_at": null, "main_name": "1937CN", "aliases": [], "source_name": "MISPGALAXY:1937CN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "78090a48-ca66-4cd8-a454-04d947e9c887", "created_at": "2023-01-06T13:46:38.303662Z", "updated_at": "2026-04-10T02:00:02.919567Z", "deleted_at": null, "main_name": "Hellsing", "aliases": [], "source_name": "MISPGALAXY:Hellsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434767, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28458032a40b50f350e89714c3f22e0581cd243c.pdf", "text": "https://archive.orkl.eu/28458032a40b50f350e89714c3f22e0581cd243c.txt", "img": "https://archive.orkl.eu/28458032a40b50f350e89714c3f22e0581cd243c.jpg" } }