{ "id": "79ee1597-c088-4ef0-aa9b-296f5ddaee0f", "created_at": "2026-04-06T00:11:19.774367Z", "updated_at": "2026-04-10T03:37:19.300354Z", "deleted_at": null, "sha1_hash": "aa8e8d8c27e8e6670cbd6f9d4b3f13dc5dbbb746", "title": "Goblin Panda against the Bears", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1466098, "plain_text": "Goblin Panda against the Bears\r\nBy Sebdraven\r\nPublished: 2018-08-03 · Archived: 2026-04-05 16:01:09 UTC\r\nDuring my last investigation (here), I’ve found two RTFs malware documents with the same techniques of\r\nexploitation of CVE-2017–11882:\r\nA file 8.t in %TMP% with Package Ole Object\r\nThe same loop of decryption\r\nThe same runPE after overwriting in memory EQNEDT32.exe\r\nBut the payload is really different. It’s not a version of PlugX but a version of Sisfider studied by Ncc group.\r\nhttps://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8570-rtf-and-the-sisfader-rat/\r\nWith the behaviour graph of Joe Sandbox, we can recognize the same interactions with operating system than my\r\nlast article and the paper of NCC Group.\r\nPress enter or click to view image in full size\r\nBehaviour of malwares\r\nThe difference with the version studied by NCC Group is the Package Ole Object. In the article of NCC Group,\r\nthe researchers talk about a SCT File and many javascript manipulations for dropping the RAT on the disk and to\r\nstart it.\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 1 of 9\n\nHere, the payload is encrypted in 8.t file\r\nIf we analyze EQNEDT32.exe overwritten to recognise the payload, we have the same technics anti emulation\r\nwith the same value.\r\nIn a thread, the process posts in a queue the value 5ACE8D0Ah.\r\nPress enter or click to view image in full size\r\nAnti emulation tricks\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 2 of 9\n\nAnti emulation tricks\r\nThe verification is calling GetMessage() and the value is stored in EAX in the function sub_401A60.\r\nThe comparaison is made in the calling function sub_4027D0.\r\nPress enter or click to view image in full size\r\nAnti emulation tricks verification\r\nJuste after we found again the loop of decryption for the config.\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 3 of 9\n\ncall to loop of decryption\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 4 of 9\n\nLoop of decrypting config\r\nIt’s the same algorithm described: a simple XOR loop with rolling key.\r\nThe mechanism of persistent is the same with a service creation just after dropping differents files and a privilege\r\nescalation.\r\nPress enter or click to view image in full size\r\nWe found the same name of the dll files.\r\nPress enter or click to view image in full size\r\nPersistence and loading agent\r\nThe malware overwrite the comobject\r\n{9BA05972-F6A8–11CF-A442–00A0C90A8F39} to execute when this com object is called to make a persistence\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 5 of 9\n\nPress enter or click to view image in full size\r\nComObject Adding\r\nAll evidences show is the same payload Sisfader RAT.\r\nThreat Intel\r\nThe toolset for exploiting the module of equation is the same using of the compromission for Vietnameses\r\nOfficials used by Goblin Panda. (APT 1937CN)\r\nIf we check the domain contacted by EQNEDT32.exe is kmbk8.hicp.net. This address is a real good pivot. It\r\nmakes the link with Goblin Panda and SisFader RAT.\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAnd the infrastructure is very interesting this domains resolved on three IPs:\r\n122.158.140.100, 122.158.140.100 and 103.255.45.200\r\nTheses addresses can permit to found others domains:\r\nSd123.eicp.net with new IP 180.131.58.9 and cv3sa.gicp.net with new IP 1.188.233.201\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 6 of 9\n\nPress enter or click to view image in full size\r\nInfrastructure\r\nThe Ip Address 103.255.45.200 has two domains:\r\nwww.36106g.com\r\n36106g.com\r\nPress enter or click to view image in full size\r\nInfrastructure\r\nAll infrastructure is based at Shanghai.\r\nThe victims are different than the Vietnameses campaign.\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 7 of 9\n\nThey targeted Telecom Firms pretending to be the Intelligence Service of Russia (FSB)\r\nPress enter or click to view image in full size\r\nRTFs content\r\nSo Gobelin Panda targets like the report of CrowdStrike https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf he telecom industries in Russia.\r\nConclusion\r\nGoblin Panda used Sisfader RAT to target the Telecom Firms russian with the same exploitation techniques for\r\nVietnameses Officials. They updated theirs technics than the report of NCC group.\r\nIOCs:\r\nRtfs:\r\n722e5d3dcc8945f69135dc381a15b5cad9723cd11f7ea20991a3ab867d9428c7\r\n71c94bb0944eb59cb79726b20177fb2cd84bf9b4d33b0efbe9aed58bb2b43e9c\r\nDomains IP:\r\n1.188.233.201 cv3sa.gicp.net\r\n1.188.236.22 cv3sa.gicp.net\r\n1.188.236.22 kmbk8.hicp.net\r\n1.188.236.22 sd123.eicp.net\r\n103.255.45.200 36106g.com\r\n103.255.45.200 cv3sa.gicp.net\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 8 of 9\n\n103.255.45.200 kmbk8.hicp.net\r\n103.255.45.200 sd123.eicp.net\r\n103.255.45.200 www.36106g.com\r\n122.158.140.100 cv3sa.gicp.net\r\n122.158.140.100 kmbk8.hicp.net\r\n122.158.140.100 sd123.eicp.net\r\nSource: https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nhttps://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" ], "report_names": [ "gobelin-panda-against-the-bears-1f462d00e3a4" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f21d7691-a720-46bb-81d7-11edb9f73eba", "created_at": "2023-11-08T02:00:07.126478Z", "updated_at": "2026-04-10T02:00:03.420826Z", "deleted_at": null, "main_name": "1937CN", "aliases": [], "source_name": "MISPGALAXY:1937CN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434279, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa8e8d8c27e8e6670cbd6f9d4b3f13dc5dbbb746.pdf", "text": "https://archive.orkl.eu/aa8e8d8c27e8e6670cbd6f9d4b3f13dc5dbbb746.txt", "img": "https://archive.orkl.eu/aa8e8d8c27e8e6670cbd6f9d4b3f13dc5dbbb746.jpg" } }