{ "id": "92ecb123-a160-40c3-a774-4754a41477d5", "created_at": "2026-04-06T00:12:56.48691Z", "updated_at": "2026-04-10T03:34:17.29197Z", "deleted_at": null, "sha1_hash": "9eee43fb3394d1fb7bb1b70e45b1eb78a184fc0b", "title": "Kingdom targeted by new malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 143465, "plain_text": "Kingdom targeted by new malware\r\nBy The Phnom Penh Post\r\nArchived: 2026-04-05 12:54:40 UTC\r\nPeople browse the internet in a café in Phnom Penh last year. A new report from Palo Alto Networks has identified\r\na new strain of malicious software targeting the Kingdom.\r\nThe Kingdom’s computer networks, including government servers, are reported to be the targets of a virus unique\r\nto Cambodia and deployed through spam emails and phishing campaigns, which lure victims with emails\r\ndisguised as official communications, though officials yesterday maintained they were unaffected.\r\nFirst reported by the cybersecurity firm Palo Alto Networks over the weekend, the attacks are a form of Trojan –\r\nor malware disguised as legitimate software – known as “KHRAT”, which began circulating in late June.\r\nAttackers used a weaponised Word document in an email attachment labelled “MIWRMP phase 3”, a reference to\r\nthe $15 million World Bank-funded Mekong Integrated Water Resources Management Phase 3 Project.\r\nAccording to the security firm’s report, the virus grants hackers “access to the victim system, including\r\nkeylogging, screenshot capabilities, remote shell access and so on”.\r\nhttps://www.phnompenhpost.com/national/kingdom-targeted-new-malware\r\nPage 1 of 3\n\n“We believe this malware, the infrastructure being used, and the TTPs [tactics, techniques and procedures]\r\nhighlight a more sophisticated threat actor group, which we will continue to monitor closely and report on as\r\nnecessary,” Palo Alto’s report notes, adding that the attack compromised Cambodian government servers.\r\nChea Pov, head of the Interior Ministry’s cybercrime unit, said while he was aware of the type of attack, he had\r\nreceived no indication government officials, websites or servers had been affected. “If this problem happens\r\namong our officials or institutions, they will submit the complaint to us, but now I have not seen any. If we receive\r\nany complaint, we will work out how to deal with it,” he said.\r\nAccording to the World Bank website, the Mekong water management project is designed “to establish the\r\nfoundation for the effective management of water resources and fisheries in the project areas of northeast\r\nCambodia”.\r\nThe project also falls within the framework of the Mekong River Commission’s (MRC) work on water\r\nmanagement. Inquiries to the MRC and World Bank went unanswered yesterday.\r\nTe Navuth, general secretary of the project’s implementing partner, the Cambodia National Mekong Committee,\r\nsaid he was previously unaware of the cyber threat. “Now that I know about it, I will have to think first about how\r\nthis issue should be dealt with,” he said.\r\nCybersecurity expert Niklas Femerstrand in an email yesterday pointed out that while servers in several different\r\ncountries appear to be the origin the attack, it has been linked to the DragonOK campaign.\r\n“The DragonOK campaign has previously [in 2014] targeted organizations in Taiwan, Japan, Tibet and Russia,\r\nand political organizations in Cambodia since at least January, 2017,” he wrote, adding that there are “strong\r\nindications” the campaign is “an operation funded by China”.\r\n“They’re looking for any intelligence from anybody, and most probably this is linked to a wider Advanced\r\nPersistent Threat operation . . . of which right now we are only seeing the iceberg tip,” he wrote, referring to a\r\ncontinuous covert hacking process used to target a specific entity.\r\nProfessor Carlyle Thayer, an Asian security expert at the University of New South Wales, noted Chinese state-sponsored hacking is not necessarily always targeted, but did recall that earlier this year “Chinese directed\r\nphishing attacks against Cambodian citizens was reported”, and that some “seemed directed at opposition political\r\nparties”.\r\n“While some hacking is specific, other hacking efforts are designed just to gather information to expand files and\r\ndata bases,” he wrote.\r\nAccording to Femerstrand, the best protection is to not open unexpected attachments in emails from unverified\r\nsenders and to be wary of external links in documents, in addition to keeping antivirus software up to date.\r\nContact PhnomPenh Post for full article\r\nSR Digital Media Co., Ltd.\r\n'#41, Street 228, Sangkat Boeung Raing, Khan Daun Penh, Phnom Penh, Cambodia\r\nhttps://www.phnompenhpost.com/national/kingdom-targeted-new-malware\r\nPage 2 of 3\n\nTel: +855 92 555 741\r\nEmail: webmasterpppost@gmail.com\r\nCopyright © All rights reserved, The Phnom Penh Post\r\nSource: https://www.phnompenhpost.com/national/kingdom-targeted-new-malware\r\nhttps://www.phnompenhpost.com/national/kingdom-targeted-new-malware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware" ], "report_names": [ "kingdom-targeted-new-malware" ], "threat_actors": [ { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434376, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9eee43fb3394d1fb7bb1b70e45b1eb78a184fc0b.pdf", "text": "https://archive.orkl.eu/9eee43fb3394d1fb7bb1b70e45b1eb78a184fc0b.txt", "img": "https://archive.orkl.eu/9eee43fb3394d1fb7bb1b70e45b1eb78a184fc0b.jpg" } }