{ "id": "3ad0a7fc-ead6-4030-9519-48ec58a92186", "created_at": "2026-04-06T00:16:01.767683Z", "updated_at": "2026-04-10T03:37:19.245217Z", "deleted_at": null, "sha1_hash": "894e846a5a3097ae4794e98ce887b94b25ecf4e7", "title": "The leap of a Cycldek-related threat actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2251988, "plain_text": "The leap of a Cycldek-related threat actor\r\nBy Ivan Kwiatkowski\r\nPublished: 2021-04-05 · Archived: 2026-04-05 18:00:43 UTC\r\nIntroduction\r\nIn the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared.\r\nOne such example of this is the infamous “DLL side-loading triad”: a legitimate executable, a malicious DLL to\r\nbe sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. Initially considered\r\nto be the signature of LuckyMouse, we observed other groups starting to use similar “triads” such as HoneyMyte.\r\nWhile it implies that it is not possible to attribute attacks based on this technique alone, it also follows that\r\nefficient detection of such triads reveals more and more malicious activity.\r\nThe investigation described in this article started with one such file which caught our attention due to the various\r\nimprovements it brought to this well-known infection vector.\r\nFoundCore Loader\r\nThis malware sample was discovered in the context of an attack against a high-profile organization located in\r\nVietnam. From a high-level perspective, the infection chain follows the expected execution flow:\r\nAfter being loaded by a legitimate component from Microsoft Outlook (FINDER.exe, MD5\r\n9F1D6B2D45F1173215439BCC4B00B6E3), outlib.dll (MD5 F267B1D3B3E16BE366025B11176D2ECB)\r\nhijacks the intended execution flow of the program to decode and run a shellcode placed in a binary file, rdmin.src\r\n(MD5 DF46DA80909A6A641116CB90FA7B8258). Such shellcodes that we had seen so far, however, did not\r\ninvolve any form of obfuscation. So, it was a rather unpleasant surprise for us when we discovered the first\r\ninstructions:\r\nhttps://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nPage 1 of 7\n\nExperienced reverse-engineers will immediately recognize disassembler-desynchronizing constructs in the\r\nscreenshot above. The conditional jumps placed at offsets 7 and 9 appear to land in the middle of an address (as\r\nevidenced by the label loc_B+1), which is highly atypical for well-behaved assembly code. Immediately after, we\r\nnote the presence of a call instruction whose destination (highlighted in red) is identified as bogus by IDA Pro,\r\nand the code that follows doesn’t make any sense.\r\nExplaining what is going on requires taking a step back and providing a bit of background about how\r\ndisassemblers work. At the risk of oversimplifying, flow-oriented disassemblers make a number of assumptions\r\nwhen processing files. One of them is that, when they encounter a conditional jump, they start disassembling the\r\n“false” branch first, and come back to the “true” branch later on. This process is better evidenced by looking at the\r\nopcodes corresponding to the code displayed above, again starting from offset 7:\r\nIt is now more obvious that there are two ways to interpret the code above: the disassembler can either start from\r\n“E8”, or from “81” – by default, IDA will choose the latter: E8 is in fact the opcode for the call instruction. But\r\nastute readers will notice that “JLE” (jump if lower or equal) and “JG” (jump if greater) are opposite conditions:\r\nno matter what, one of those will always be true and as such the actual code, as seen by the CPU during the\r\nexecution, will start with the byte “81”. Such constructs are called opaque predicates, and this E8 byte in the\r\nmiddle was only added there in order to trick the disassembler.\r\nDefeating this trick is but a trivial matter for IDA Pro, as it is possible to manually correct the disassembling\r\nmistake. However, it was immediately obvious that the shellcode had been processed by an automated obfuscation\r\ntool. Opaque predicates, sometimes in multiples, and dead code were inserted between every single instruction of\r\nhttps://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nPage 2 of 7\n\nthe program. In the end, cleaning up the program automatically was the only practical approach, and we did so by\r\nmodifying an existing script for the FinSpy malware family created by the respected reverse-engineer Rolf Rolles.\r\nThis step allowed us to discover the shellcode’s purpose: to decrypt and decompress the final payload, using a\r\ncombination of RC4 and LZNT1. Even then, it turned out that the attackers had more tricks up their sleeve.\r\nNormally, at this stage, one would have expected to find a PE file that the shellcode would load into memory. But\r\ninstead, this is what we got:\r\nThe recovered file was indeed a PE, but it turned out that most of its headers had been scrubbed. In fact, even the\r\nscarce ones remaining contained incoherent values – for instance, here, a number of declared sections equal to\r\n0xAD4D. Since it is the shellcode (and not the Windows loader) that prepares this file for execution, it doesn’t\r\nmatter that some information, such as the magic numbers, is missing. As for the erroneous values, it turned out\r\nthat the shellcode was fixing them on the fly using hardcoded operations:\r\nfor ( i = 0; ; ++i ) // Iterate on the sections\r\n{\r\n  // [...]\r\n  // Stop when all sections have been read\r\nhttps://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nPage 3 of 7\n\nif ( i \u003e= pe-\u003epe_header_addr-\u003eFileHeader.NumberOfSections - 44361 )\r\n    break;\r\n  // [...]\r\n}\r\nFor instance, in the decompiled code above (as for all references to the file’s number of sections) the value read in\r\nthe headers is subtracted by 44361. For the attackers, the advantage is two-fold. First, it makes acquiring the final\r\npayload statically a lot more difficult for potential reverse-engineers. Second, it also ensures that the various\r\ncomponents of the toolchain remain tightly coupled to each other. If only a single one of them finds itself\r\nuploaded to a multi-scanner website, it will be unexploitable for defenders. This is a design philosophy that we\r\nhad observed from the LuckyMouse APT in the past, and is manifest in other parts of this toolchain too, as we will\r\nsee later on. Eventually, we were able to reconstruct the file’s headers and move on with our analysis – but we\r\nfound this loader so interesting from an educational standpoint that we decided to base one track of our online\r\nreverse-engineering course on it. For more detailed steps on how we approached this sample, please have a look at\r\nTargeted Malware Reverse Engineering.\r\nFoundCore payload\r\nThe final payload is a remote administration tool that provides full control over the victim machine to its\r\noperators. Upon execution, this malware starts 4 threads:\r\nThe first one establishes persistence by creating a service.\r\nThe second one sets inconspicuous information for the service by changing its “Description”, “ImagePath”,\r\n“DisplayName” fields (among others).\r\nThe third sets an empty DACL (corresponding to the SDDL string “D:P”) to the image associated to the\r\ncurrent process in order to prevent access to the underlying malicious file.\r\nFinally, a worker thread bootstraps execution and establishes connection with the C2 server. Depending on\r\nits configuration, it may also inject a copy of itself to another process.\r\nCommunications with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\r\nCommands supported by FoundCore include filesystem manipulation, process manipulation, screenshot captures\r\nand arbitrary command execution.\r\nRoyalRoad documents, DropPhone and CoreLoader\r\nTaking a step back from the FoundCore malware family, we looked into the various victims we were able to\r\nidentify to try to gather information about the infection process. In the vast majority of the incidents we\r\ndiscovered, it turned out that FoundCore executions were preceded by the opening of a malicious RTF documents\r\ndownloaded from static.phongay[.]com. They all were generated using RoyalRoad and attempt to exploit CVE-2018-0802.\r\nhttps://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nPage 4 of 7\n\nInterestingly, while we would have expected them to contain decoy content, all of them were blank. We, therefore,\r\nhypothesize the existence of precursor documents, possibly delivered through spear-phishing, or precursor\r\ninfections, which would trigger the download of one of these RTF files.\r\nSuccessful exploitation leads to the deployment of yet another malware that we named DropPhone:\r\nMD5 6E36369BF89916ABA49ECA3AF59D38C6\r\nSHA1 C477B50AE66E7228164930117A7D36C53713A5F2\r\nSHA256 F50AE4B25B891E95B57BD4391AEB629437A43664034630D593EB9846CADC9266\r\nCreation time 2020-11-04 09:14:22\r\nFile type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nFile size 56 KB\r\nThis C++ implant also comes in the form of a legitimate executable (DeElevate.exe, from the publisher StarDock)\r\nand a side-loaded DLL (DeElevator.dll). At this stage, we are left with more questions than answers when it comes\r\nto it. DropPhone fetches a file saved as data.dat from hxxps://cloud.cutepaty[.]com, but we were unable to obtain\r\na copy of this file so far. Next, it expects to find a companion program in\r\n%AppData%\\Microsoft\\Installers\\sdclt.exe, and will eventually terminate execution if it cannot find it.\r\nOur hypothesis is that this last file could be an instance or variant of CoreLoader (which we will describe in a\r\nminute), but the only piece of data supporting this theory that we have at our disposal is that we found CoreLoader\r\nin this folder in a single occurrence.\r\nDropPhone launches sdclt.exe, then collects environment information from the victim machine and sends it to\r\nDropBox. The last thing this implant does is delete data.dat without ever accessing its contents. We speculate that\r\nthey are consumed by sdclt.exe, and that this is another way to lock together the execution of two components,\r\nfrustrating the efforts of the reverse-engineers who are missing pieces of the puzzle – as is our case here.\r\nMD5 1234A7AACAE14BDD94EEE6F44F7F4356\r\nSHA1 34977E351C9D0E9155C6E016669A4F085B462762\r\nSHA256 492D3B5BEB89C1ABF88FF866D200568E9CAD7BB299700AA29AB9004C32C7C805\r\nCreation time 2020-11-21 03:47:14\r\nFile type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nFile size 66 KB\r\nFinally, CoreLoader, the last malware we found associated to this set of activity, is a simple shellcode loader\r\nwhich performs anti-analysis and loads additional code from a file named WsmRes.xsl. Again, this specific file\r\nhttps://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nPage 5 of 7\n\neluded our attempts to catch it but we suspect it to be, one way or another, related to FoundCore (described in the\r\nprevious section).\r\nOverall, our current understanding of this complex toolchain is as follows. Dashed lines represent the components\r\nand links we are inferring, striped boxes represent the files we could not acquire.\r\nVictimology and attribution\r\nWe observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of\r\norganizations were affected. 80% of them are based in Vietnam and belong to the government or military sector,\r\nor are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional\r\ntargets in Central Asia and in Thailand.\r\nFor the reasons laid-out in the introduction, attribution based on tooling alone is risky when it comes to this\r\nnebula. At first glance, the use of a “triad”, the general design philosophy and the obvious effort spent to make\r\nreverse-engineering as complex as possible are reminiscent of LuckyMouse. However, we also observed code\r\nsimilarities between CoreLoader or FoundCore and programs associated with the Cycldek threat actor – namely,\r\nRedCore Loader (MD5: 1B6BCBB38921CAF347DF0A21955771A6).\r\nWhile Cycldek was, so far, considered to be one of the lesser sophisticated threat actors from the Chinese-speaking nexus, its targeting is known to be consistent with what we observed in this campaign. Therefore, we are\r\nlinking the activities described in this post with Cycldek with low confidence.\r\nhttps://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nPage 6 of 7\n\nConclusion\r\nNo matter which group orchestrated this campaign, it constitutes a significant step up in terms of sophistication.\r\nThe toolchain presented here was willfully split into a series of interdependent components that function together\r\nas a whole. Single pieces are difficult – sometimes impossible – to analyze in isolation, because they rely on code\r\nor data provided at other stages of the infection chain. We regretfully admit that this strategy was partly successful\r\nin preventing us from obtaining a complete picture of this campaign. As such, this report is as much about the\r\nthings we know as it is about figuring out what we don’t. We hereby extend our hand to fellow researchers who\r\nmight be seeing other pieces of this vast puzzle, because we strongly believe that the challenges ahead of us can\r\nonly be overcome through information sharing among trusted industry partners.\r\nSome readers from other regions of the world might dismiss this local activity as irrelevant to their interests. We\r\nwould advise them to take heed. Experience shows that regional threat actors sometimes widen their area of\r\nactivity as their operational capabilities increase, and that tactics or tools are vastly shared across distinct actors or\r\nintrusion-sets that target different regions. Today, we see a group focused on South-East Asia taking a major leap\r\nforward. Tomorrow, they may decide they’re ready to take on the whole world.\r\nIndicators of Compromise\r\nFile Hashes\r\nDomains\r\nSource: https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nhttps://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/" ], "report_names": [ "101243" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434561, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/894e846a5a3097ae4794e98ce887b94b25ecf4e7.pdf", "text": "https://archive.orkl.eu/894e846a5a3097ae4794e98ce887b94b25ecf4e7.txt", "img": "https://archive.orkl.eu/894e846a5a3097ae4794e98ce887b94b25ecf4e7.jpg" } }