{
	"id": "5b0a8b61-85b6-4eb0-ac31-994679f82a91",
	"created_at": "2026-04-06T00:15:31.85208Z",
	"updated_at": "2026-04-10T13:12:28.446399Z",
	"deleted_at": null,
	"sha1_hash": "819c9e00be308e9cb0620df1bf4ea386da2814d2",
	"title": "Chinese APT Targeting Cambodian Government",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 506726,
	"plain_text": "Chinese APT Targeting Cambodian Government\r\nBy Unit 42\r\nPublished: 2023-11-08 · Archived: 2026-04-05 22:56:44 UTC\r\nExecutive Summary\r\nUnit 42 has identified malicious Chinese APT infrastructure masquerading as cloud backup services. Monitoring\r\ntelemetry associated with two prominent Chinese APT groups, we observed network connections predominately\r\noriginating from the country of Cambodia, including inbound connections originating from at least 24 Cambodian\r\ngovernment organizations.\r\nWe assess with high confidence that these Cambodian government entities were targeted and remain compromised\r\nby Chinese APT actors. This assessment is due to the malicious nature and ownership of the infrastructure\r\ncombined with persistent connections over a period of several months.\r\nCambodia and China maintain strong diplomatic and economic ties. Since Cambodia signed on to China’s Belt\r\nand Road Initiative (BRI) in 2013, the relationship between these two countries has grown steadily.\r\nIn recent years, China’s most notable investment has been a project to modernize Cambodia's Ream Naval Base.\r\nThis project generated controversy and drew scrutiny from several Western nations due to initial attempts by both\r\ncountries to conceal the project.\r\nAs the project nears completion this year, the naval base is on track to become China’s first overseas outpost in\r\nSoutheast Asia. As such, this project demonstrates how significant Cambodia is to China’s ambitions of projecting\r\npower and expanding naval operations in the region.\r\nPalo Alto Networks customers receive protection from this malicious infrastructure through our Next-Generation\r\nFirewall with Cloud-Delivered Security Services, including DNS Security and Advanced URL Filtering.\r\nRelated Unit 42 Topics China, APAC\r\nInfrastructure Overview\r\nUnit 42 identified infrastructure associated with the following known malicious SSL certificate:\r\nSubject Full Name C=US,ST=Some-State,O=Internet Widgits Pty Ltd,CN=10.200.206.100\r\nIssuer Full Name C=US,ST=Some-State,O=Internet Widgits Pty Ltd,CN=COM\r\nSerial Number 15007560845348164646\r\nSHA1 Hash B8CFF709950CFA86665363D9553532DB9922265C\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 1 of 8\n\nValid From 2017-11-23\r\nValid To 2027-11-21\r\nTable 1. SSL Certificate Overview.\r\nMost recently, this certificate was used by servers on six target-facing IP addresses. Each of these servers host\r\nseveral subdomains associated with six domains.\r\nBased on their names, a number of these domains appear to masquerade as cloud storage services. This disguise\r\nlikely lends a sense of legitimacy to the unusual amount of traffic during times of high activity levels from the\r\nactor, such as data exfiltration from the victim network.\r\nFigure 1 provides a visualization of the malicious infrastructure.\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 2 of 8\n\nFigure 1. Infrastructure overview.\r\nSuspected Cambodian Government Targets\r\nWe observed a total of 24 Cambodian government organizations regularly communicating with this infrastructure\r\nbetween September and October 2023. A number of these organizations provide critical services in the following\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 3 of 8\n\nindustries:\r\nNational defense\r\nElection oversight\r\nHuman rights\r\nNational treasury and finance\r\nCommerce\r\nPolitics\r\nNatural resources\r\nTelecommunications\r\nThese targets all hold vast amounts of sensitive data, including the following:\r\nFinancial data\r\nPersonally identifiable information of citizens\r\nClassified government information\r\nWe assess that these organizations are likely the targets of long-term cyberespionage activities that have leveraged\r\nthis infrastructure for persistent access to government networks of interest.\r\nCommand and Control Infrastructure\r\nWe assess with high confidence that the target-facing IP addresses are being used as command and control (C2)\r\ninfrastructure by the threat actor. We believe the infrastructure is running the Cowrie honeypot on port 2222. The\r\nattackers are likely using this honeypot as a cover to deceive network defenders and researchers investigating\r\nanomalous activity.\r\nWe have also observed IP filtering on this infrastructure. Specifically, we have observed the blocking of\r\nconnections from the following:\r\nKnown Palo Alto Networks IP ranges\r\nSome VPS and cloud hosting providers\r\nIP ranges from a number of Big Tech and other cybersecurity companies\r\nWe believe this threat actor is filtering connections to the malicious infrastructure to minimize the risk of the C2s\r\nbeing profiled by IP scanners or identified by cybersecurity researchers.\r\nWe have also observed C2 ports open during activity times for the threat actor and closed at all other times. Again,\r\nthis is likely to minimize the risk of the infrastructure being profiled by IP scanners or identified by researchers.\r\nTable 2 outlines the known actor and target-facing ports.\r\nIP Address Target Port Domain(s)\r\n165.232.186[.]197 80, 443, 4433 api.infinitycloud[.]info\r\nconnect.infinitycloud[.]info\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 4 of 8\n\nns.infinitycloud[.]info\r\n167.71.226[.]171 80, 81, 82, 443, 769, 4433, 8086, 8089\r\nfile.wonderbackup[.]com\r\nconnect.infinitybackup[.]net\r\nshare.infinitybackup[.]net\r\nsync.wonderbackup[.]com\r\n104.248.153[.]204 82, 443\r\nupdate.wonderbackup[.]com\r\nlogin.wonderbackup[.]com\r\nns1.infinitybackup[.]net\r\n143.110.189[.]141 443\r\nmfi.teleryanhart[.]com\r\nads.teleryanhart[.]com\r\n172.105.34[.]34 8081, 8087, 8443, 8888\r\njlp.ammopak[.]site\r\nkwe.ammopak[.]site\r\nlxo.ammopak[.]site\r\ndfg.ammopak[.]site\r\nfwg.ammopak[.]site\r\n194.195.114[.]199 8080, 8443, 9200 connect.clinkvl[.]com\r\nTable 2. Target-facing infrastructure details.\r\nActor Pattern of Life\r\nWhile investigating the cluster of infrastructure, we were able to determine the actor’s pattern of life. We\r\npredominantly observed the actor’s activity between 08:30 and 17:30 UTC +08:00 (China Standard Time) on\r\nweekdays (Monday to Friday). This pattern might indicate the actor is attempting to avoid detection by blending\r\ninto regular Cambodian business hours which are UTC +07:00.\r\nHowever, we also observed a significant change in actor activity that suggests the actor is based in China and\r\nworking regular business hours in China.\r\nThis change in the actor’s pattern of life occurred between Sep. 29 and Oct. 8, 2023. Actor activity ceased on Sep.\r\n29, with low amounts of activity through the week of Oct. 2-8, including the weekend of Oct. 7-8. We saw actor\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 5 of 8\n\nactivity return to regular levels and patterns starting Oct. 9.\r\nThe dates of the actor’s activity changes align with China’s Golden Week, held on Sep. 29 to Oct. 6, 2023, and\r\n“Special Working Days,” designated as Oct. 7-8, 2023. Special Working Days are Chinese government-mandated\r\nworking days to compensate for the extended holiday.\r\nFigure 2 shows the regular activity pattern and deviation during Golden Week, before returning to normal.\r\nFigure 2. Actor pattern of life.\r\nConclusion\r\nUnit 42 identified Chinese APT-associated activity targeting Cambodia, including over 20 Cambodian government\r\norganizations across a range of key industries. This activity is believed to be part of a long-term espionage\r\ncampaign.\r\nThe observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong\r\nrelations with Cambodia to project their power and expand their naval operations in the region. We encourage all\r\norganizations to leverage our findings to inform the deployment of protective measures to defend against this\r\nactivity.\r\nProtection Recommendations\r\nTo defend against the threats described in this blog, Palo Alto Networks recommends organizations employ the\r\nfollowing capabilities:\r\nNetwork Security: Delivered through a Next-Generation Firewall (NGFW) configured with machine\r\nlearning enabled and cloud-delivered security services. This includes threat prevention, URL filtering, DNS\r\nsecurity and a malware prevention engine capable of identifying and blocking malicious samples and\r\ninfrastructure.\r\nSecurity Automation: Delivered through a Cortex XSOAR or XSIAM solution capable of providing SOC\r\nanalysts with a comprehensive understanding of the threat derived by stitching together data obtained from\r\nendpoints, network, cloud and identity systems.\r\nContainer Security: Delivered through the Palo Alto Networks Prisma Cloud advanced container security\r\nfeatures for container runtime environments to ensure detection and prevention of known malicious\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 6 of 8\n\nexecutables. Advanced URL Filtering blocks malicious IoCs related to this operation. WildFire integration\r\nfor cloud-delivered malware analysis service accurately identifies known samples as malicious.\r\nProtections and Mitigations\r\nPalo Alto Networks customers receive protection from the threats discussed above through the following products:\r\nAdvanced URL Filtering blocks web requests to malicious URLs\r\nDNS Security effectively prevents the resolution of C2 hostnames\r\nContainer Runtime Inspection prevents DNS requests from malicious processes\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nDomains\r\napi.infinitycloud[.]info\r\nconnect.infinitycloud[.]info\r\nns.infinitycloud[.]info\r\nconnect.infinitybackup[.]net\r\nns1.infinitybackup[.]net\r\nshare.infinitybackup[.]net\r\nfile.wonderbackup[.]com\r\nlogin.wonderbackup[.]com\r\nsync.wonderbackup[.]com\r\nupdate.wonderbackup[.]com\r\nads.teleryanhart[.]com\r\nmfi.teleryanhart[.]com\r\ndfg.ammopak[.]site\r\nfwg.ammopak[.]site\r\njlp.ammopak[.]site\r\nkwe.ammopak[.]site\r\nlxo.ammopak[.]site\r\nconnect.clinkvl[.]com\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 7 of 8\n\nInfrastructure IP Addresses\r\n165.232.186[.]197\r\n167.71.226[.]171\r\n104.248.153[.]204\r\n143.110.189[.]141\r\n172.105.34[.]34\r\n194.195.114[.]199\r\nSSL Certificate SHA-1 Fingerprint\r\nB8CFF709950CFA86665363D9553532DB9922265C\r\nSource: https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nhttps://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/"
	],
	"report_names": [
		"chinese-apt-linked-to-cambodia-government-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/819c9e00be308e9cb0620df1bf4ea386da2814d2.pdf",
		"text": "https://archive.orkl.eu/819c9e00be308e9cb0620df1bf4ea386da2814d2.txt",
		"img": "https://archive.orkl.eu/819c9e00be308e9cb0620df1bf4ea386da2814d2.jpg"
	}
}