{
	"id": "7461f06a-2dcc-4b0e-a862-735a61a6fda1",
	"created_at": "2026-04-06T00:07:23.924166Z",
	"updated_at": "2026-04-10T03:37:19.252525Z",
	"deleted_at": null,
	"sha1_hash": "3e3dabe543311c5e8649c990fbf22e3739fa2dea",
	"title": "Goblin Panda, Cycldek, Conimes - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64038,
	"plain_text": "Goblin Panda, Cycldek, Conimes - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 22:46:24 UTC\r\nHome \u003e List all groups \u003e Goblin Panda, Cycldek, Conimes\r\n APT group: Goblin Panda, Cycldek, Conimes\r\nNames\r\nGoblin Panda (CrowdStrike)\r\nCycldek (Kaspersky)\r\nConimes (Anomali)\r\n1937CN (?)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(CrowdStrike) CrowdStrike first observed Goblin Panda activity in September 2013\r\nwhen indicators of its activity were discovered on the network of a technology\r\ncompany operating in multiple sectors.\r\nMalware variants primarily used by this actor include PlugX and HttpTunnel. This\r\nactor focuses a significant amount of its targeting activity on entities in Southeast\r\nAsia, particularly Vietnam. Heavy activity was observed in the late spring and early\r\nsummer of 2014 when tensions between China and other Southeast Asian nations\r\nwere high, due to conflict over territory in the South China Sea. Goblin Panda\r\ntargets have been primarily observed in the defense, energy, and government sectors.\r\nObserved\r\nSectors: Defense, Energy, Government.\r\nCountries: Cambodia, India, Indonesia, Laos, Malaysia, Myanmar, Philippines,\r\nThailand, USA, Vietnam.\r\nTools used\r\n8.t Dropper, BlueCore, BrowsingHistoryView, ChromePass, CoreLoader,\r\nDropPhone, FoundCore, HDoor, HTTPTunnel, JsonCookies, nbtscan, NewCore\r\nRAT, PlugX, ProcDump, PsExec, QCRat, RedCore, Sisfader, USBCulprit, ZeGhost,\r\nLiving off the Land.\r\nOperations performed Jul 2016 A group identifying as Chinese hackers has attacked digital signage\r\nscreens, overhead announcement systems and airline systems at\r\nairports across Vietnam.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=54b1fa22-3aa4-4cdd-9c24-e6f1ce0e907d\r\nPage 1 of 2\n\nSep 2017\nRecently, FortiGuard Labs came across several malicious documents\nthat exploit the vulnerability CVE-2012-0158.\n2018\nAttacks have been witnessed in government organizations across\nseveral Southeast Asian countries, namely Vietnam, Thailand and\nLaos, using a variety of tools and new TTPs.\nJun 2020\nThe leap of a Cycldek-related threat actor\nInformation\nPlaybook\nLast change to this card: 15 May 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=54b1fa22-3aa4-4cdd-9c24-e6f1ce0e907d\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=54b1fa22-3aa4-4cdd-9c24-e6f1ce0e907d\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=54b1fa22-3aa4-4cdd-9c24-e6f1ce0e907d"
	],
	"report_names": [
		"showcard.cgi?u=54b1fa22-3aa4-4cdd-9c24-e6f1ce0e907d"
	],
	"threat_actors": [
		{
			"id": "f21d7691-a720-46bb-81d7-11edb9f73eba",
			"created_at": "2023-11-08T02:00:07.126478Z",
			"updated_at": "2026-04-10T02:00:03.420826Z",
			"deleted_at": null,
			"main_name": "1937CN",
			"aliases": [],
			"source_name": "MISPGALAXY:1937CN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea",
			"created_at": "2023-01-06T13:46:39.444946Z",
			"updated_at": "2026-04-10T02:00:03.331753Z",
			"deleted_at": null,
			"main_name": "GOBLIN PANDA",
			"aliases": [
				"Conimes",
				"Cycldek"
			],
			"source_name": "MISPGALAXY:GOBLIN PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39",
			"created_at": "2022-10-25T16:07:23.690871Z",
			"updated_at": "2026-04-10T02:00:04.709966Z",
			"deleted_at": null,
			"main_name": "Goblin Panda",
			"aliases": [
				"1937CN",
				"Conimes",
				"Cycldek",
				"Goblin Panda"
			],
			"source_name": "ETDA:Goblin Panda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"BackDoor-FBZT!52D84425CDF2",
				"BlueCore",
				"BrowsingHistoryView",
				"ChromePass",
				"CoreLoader",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"DropPhone",
				"FoundCore",
				"HDoor",
				"HTTPTunnel",
				"JsonCookies",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"NBTscan",
				"NewCore RAT",
				"PlugX",
				"ProcDump",
				"PsExec",
				"QCRat",
				"RainyDay",
				"RedCore",
				"RedDelta",
				"RoyalRoad",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Win32.Staser.ytq",
				"USBCulprit",
				"Win32/Zegost.BW",
				"Xamtrav",
				"ZeGhost",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434043,
	"ts_updated_at": 1775792239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e3dabe543311c5e8649c990fbf22e3739fa2dea.pdf",
		"text": "https://archive.orkl.eu/3e3dabe543311c5e8649c990fbf22e3739fa2dea.txt",
		"img": "https://archive.orkl.eu/3e3dabe543311c5e8649c990fbf22e3739fa2dea.jpg"
	}
}