{
	"id": "cab6ddc3-dd85-4462-8bb5-52bd667b9446",
	"created_at": "2026-04-06T00:09:19.098027Z",
	"updated_at": "2026-04-10T03:37:19.380854Z",
	"deleted_at": null,
	"sha1_hash": "7509d21a19f1d24b5f7fa5a811b3e49ed21debdf",
	"title": "Goblin Panda continues to target Vietnam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 331789,
	"plain_text": "Goblin Panda continues to target Vietnam\r\nBy Sebdraven\r\nPublished: 2019-05-02 · Archived: 2026-04-05 22:59:28 UTC\r\n2 min read\r\nMay 2, 2019\r\nChinese actors have changed the rtf exploit following my different articles and Anomali article\r\nhttps://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain\r\nBut In march a researcher of Anomali @aRtAGGI made a link very interesting between Icefog and an article\r\ntargeting Mongelian speaker https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/\r\nhttps://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6\r\nPage 1 of 4\n\nI decide to reanalyze the RTF exploit. It’s the same techniques, they have just change the XORing and the exploit\r\nbody to bypass the yara rules which have been published.\r\nhttps://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6\r\nPage 2 of 4\n\nAfter a new rule and retro hunting, I found a new RTF file\r\n81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6 exploiting the same RTF\r\nvulnerability CVE-2017–11882 and drops two files\r\nC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\QcConsol.exe\r\n9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770\r\nC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\QcLite.dll\r\n207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3\r\nThe backdoor is the DLL and has as usual, the malware is executing using the side loading.\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe dll is a variant of the newcoreRAT with many similarities with\r\n05d0ad2bcc1c6e2752a231bc36d07a841f075a0a32a3a62abaafddbdafd72f62\r\n5a592b92ffcbea75e458726cecc7f159b8f71c46b80de30bac2a48006ac1e1b3\r\n5b652205b1c248e5d5fc0eb5f53c5754df829ed2479687d4f14c2e08fbf87e76\r\nPress enter or click to view image in full size\r\nand the RTF is a spear phishing targeting Vietnamese people.\r\nThe malware seems to compile 11 Dec 2018 and the document has created in 2019:01:18.\r\nThe C2 of the backdoor is a old domain web.hcmuafgh.com but it’s a new IP 193.29.56.62.\r\nIOCs\r\n81f75839e6193212d71d771edea62430111482177cdc481f4688d82cd8a5fed6\r\nhttps://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6\r\nPage 3 of 4\n\nC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\QcLite.dll\r\n207e66a3b0f1abfd4721f1b3e9fed8ac89be51e1ec13dd407b4e08fad52113e3\r\nsha256 C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\QcConsol.exe\r\n9f3114e48dd0245467fd184bb9655a5208fa7d13e2fe06514d1f3d61ce8b8770\r\nweb.hcmuafgh.com\r\n193.29.56.62\r\nhttp://web.hcmuafgh.com:4357/link?url=maOVmKGmMDU1\u0026enpl=OXcoVQ==\u0026encd=XARIZTE=\r\nSource: https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6\r\nhttps://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6"
	],
	"report_names": [
		"goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6"
	],
	"threat_actors": [
		{
			"id": "1aead86d-0c57-4e3b-b464-a69f6de20cde",
			"created_at": "2023-01-06T13:46:38.318176Z",
			"updated_at": "2026-04-10T02:00:02.925424Z",
			"deleted_at": null,
			"main_name": "DAGGER PANDA",
			"aliases": [
				"UAT-7290",
				"Red Foxtrot",
				"IceFog",
				"RedFoxtrot",
				"Red Wendigo",
				"PLA Unit 69010"
			],
			"source_name": "MISPGALAXY:DAGGER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5d9dfc61-6138-497a-b9da-33885539f19c",
			"created_at": "2022-10-25T16:07:23.720008Z",
			"updated_at": "2026-04-10T02:00:04.726002Z",
			"deleted_at": null,
			"main_name": "Icefog",
			"aliases": [
				"ATK 23",
				"Dagger Panda",
				"Icefog",
				"Red Wendigo"
			],
			"source_name": "ETDA:Icefog",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Dagger Three",
				"Fucobha",
				"Icefog",
				"Javafog",
				"POISONPLUG.SHADOW",
				"RoyalRoad",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea",
			"created_at": "2023-01-06T13:46:39.444946Z",
			"updated_at": "2026-04-10T02:00:03.331753Z",
			"deleted_at": null,
			"main_name": "GOBLIN PANDA",
			"aliases": [
				"Conimes",
				"Cycldek"
			],
			"source_name": "MISPGALAXY:GOBLIN PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39",
			"created_at": "2022-10-25T16:07:23.690871Z",
			"updated_at": "2026-04-10T02:00:04.709966Z",
			"deleted_at": null,
			"main_name": "Goblin Panda",
			"aliases": [
				"1937CN",
				"Conimes",
				"Cycldek",
				"Goblin Panda"
			],
			"source_name": "ETDA:Goblin Panda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"BackDoor-FBZT!52D84425CDF2",
				"BlueCore",
				"BrowsingHistoryView",
				"ChromePass",
				"CoreLoader",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"DropPhone",
				"FoundCore",
				"HDoor",
				"HTTPTunnel",
				"JsonCookies",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"NBTscan",
				"NewCore RAT",
				"PlugX",
				"ProcDump",
				"PsExec",
				"QCRat",
				"RainyDay",
				"RedCore",
				"RedDelta",
				"RoyalRoad",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Win32.Staser.ytq",
				"USBCulprit",
				"Win32/Zegost.BW",
				"Xamtrav",
				"ZeGhost",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434159,
	"ts_updated_at": 1775792239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7509d21a19f1d24b5f7fa5a811b3e49ed21debdf.pdf",
		"text": "https://archive.orkl.eu/7509d21a19f1d24b5f7fa5a811b3e49ed21debdf.txt",
		"img": "https://archive.orkl.eu/7509d21a19f1d24b5f7fa5a811b3e49ed21debdf.jpg"
	}
}