{ "id": "490a4522-41b5-4644-a66f-f0cee9913569", "created_at": "2026-04-06T00:07:15.917193Z", "updated_at": "2026-04-10T03:38:01.710906Z", "deleted_at": null, "sha1_hash": "b543f8f071dd258eccfb2b89442a6a73c2ad00ce", "title": "Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 622597, "plain_text": "Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of\r\nJuly 2018 Elections and Reveals Broad Operations Globally | Mandiant\r\nBy Mandiant\r\nPublished: 2018-07-10 · Archived: 2026-04-05 16:28:09 UTC\r\nWritten by: Scott Henderson, Steve Miller, Dan Perez, Marcin Siedlarz, Ben Wilson, Ben Read\r\nIntroduction\r\nFireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active\r\ncompromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of\r\nCambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This\r\ncampaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same\r\ninfrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United\r\nStates and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and\r\nmaritime entities in the United States.\r\nOverall, this activity indicates that the group maintains an extensive intrusion architecture and wide array of malicious tools,\r\nand targets a large victim set, which is in line with typical Chinese-based APT efforts. We expect this activity to provide the\r\nChinese government with widespread visibility into Cambodian elections and government operations. Additionally, this\r\ngroup is clearly able to run several large-scale intrusions concurrently across a wide range of victim types.\r\nOur analysis also strengthened our overall attribution of this group. We observed the toolsets we previously attributed to this\r\ngroup, their observed targets are in line with past group efforts and also highly similar to known Chinese APT efforts, and\r\nwe identified an IP address originating in Hainan, China that was used to remotely access and administer a command and\r\ncontrol (C2) server.\r\nTEMP.Periscope Background\r\nActive since at least 2013, TEMP.Periscope has primarily focused on maritime-related targets across multiple verticals,\r\nincluding engineering firms, shipping and transportation, manufacturing, defense, government offices, and research\r\nuniversities (targeting is summarized in Figure 1). The group has also targeted professional/consulting services, high-tech\r\nindustry, healthcare, and media/publishing. TEMP.Periscope overlaps in targeting, as well as tactics, techniques, and\r\nprocedures (TTPs), with TEMP.Jumper, a group that also overlaps significantly with public reporting by Proofpoint and F-Secure on \"NanHaiShu.\"\r\nhttps://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nPage 1 of 7\n\nFigure 1: Summary of TEMP.Periscope activity\r\nIncident Background\r\nFireEye analyzed files on three open indexes believed to be controlled by TEMP.Periscope, which yielded insight into the\r\ngroup's objectives, operational tactics, and a significant amount of technical attribution/validation. These files were \"open\r\nindexed\" and thus accessible to anyone on the public internet. This TEMP.Periscope activity on these servers extends from at\r\nleast April 2017 to the present, with the most current operations focusing on Cambodia's government and elections.\r\nTwo servers, chemscalere[.]com and scsnewstoday[.]com, operate as typical C2 servers and hosting sites, while the\r\nthird, mlcdailynews[.]com, functions as an active SCANBOX server. The C2 servers contained both logs and\r\nmalware.\r\nAnalysis of logs from the three servers revealed:\r\nPotential actor logins from an IP address located in Hainan, China that was used to remotely access and\r\nadminister the servers, and interact with malware deployed at victim organizations.\r\nMalware command and control check-ins from victim organizations in the education, aviation, chemical,\r\ndefense, government, maritime, and technology sectors across multiple regions. FireEye has notified all of the\r\nvictims that we were able to identify.\r\nThe malware present on the servers included both new families (DADBOD, EVILTECH) and previously identified\r\nmalware families (AIRBREAK, EVILTECH, HOMEFRY, MURKYTOP, HTRAN, and SCANBOX) .\r\nCompromises of Cambodian Election Entities\r\nAnalysis of command and control logs on the servers revealed compromises of multiple Cambodian entities, primarily those\r\nrelating to the upcoming July 2018 elections. In addition, a separate spear phishing email analyzed by FireEye indicates\r\nconcurrent targeting of opposition figures within Cambodia by TEMP.Periscope.\r\nAnalysis indicated that the following Cambodian government organizations and individuals were compromised by\r\nTEMP.Periscope:\r\nNational Election Commission, Ministry of the Interior, Ministry of Foreign Affairs and International Cooperation,\r\nCambodian Senate, Ministry of Economics and Finance\r\nhttps://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nPage 2 of 7\n\nMember of Parliament representing Cambodia National Rescue Party\r\nMultiple Cambodians advocating human rights and democracy who have written critically of the current ruling party\r\nTwo Cambodian diplomats serving overseas\r\nMultiple Cambodian media entities\r\nTEMP.Periscope sent a spear phish with AIRBREAK malware to Monovithya Kem, Deputy Director-General, Public\r\nAffairs, Cambodia National Rescue Party (CNRP), and the daughter of (imprisoned) Cambodian opposition party leader\r\nKem Sokha (Figure 2). The decoy document purports to come from LICADHO (a non-governmental organization [NGO] in\r\nCambodia established in 1992 to promote human rights). This sample leveraged scsnewstoday[.]com for C2.\r\nFigure 2: Human right protection survey lure\r\nThe decoy document \"Interview Questions.docx\" (MD5: ba1e5b539c3ae21c756c48a8b5281b7e) is tied to AIRBREAK\r\ndownloaders of the same name. The questions reference the opposition Cambodian National Rescue Party, human rights,\r\nand the election (Figure 3).\r\nFigure 3: Interview questions decoy\r\nInfrastructure Also Used for Operations Against Private Companies\r\nhttps://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nPage 3 of 7\n\nThe aforementioned malicious infrastructure was also used against private companies in Asia, Europe and North America.\r\nThese companies are in a wide range of industries, including academics, aviation, chemical, maritime, and technology. A\r\nMURKYTOP sample from 2017 and data contained in a file linked to chemscalere[.]com suggest that a corporation\r\ninvolved in the U.S. defense industrial base (DIB) industry, possibly related to maritime research, was compromised. Many\r\nof these compromises are in line with TEMP.Periscope’s previous activity targeting maritime and defense industries.\r\nHowever, we also uncovered the compromise of a European chemical company with a presence in Asia, demonstrating that\r\nthis group is a threat to business worldwide, particularly those with ties to Asia.\r\nAIRBREAK Downloaders and Droppers Reveal Lure Indicators\r\nFilenames for AIRBREAK downloaders found on the open indexed sites also suggest the ongoing targeting of interests\r\nassociated with Asian geopolitics. In addition, analysis of AIRBREAK downloader sites revealed a related server that\r\nunderscores TEMP.Periscope's interest in Cambodian politics.\r\nThe AIRBREAK downloaders in Table 1 redirect intended victims to the indicated sites to display a legitimate decoy\r\ndocument while downloading an AIRBREAK payload from one of the identified C2s. Of note, the hosting site for the\r\nlegitimate documents was not compromised. An additional C2 domain, partyforumseasia[.]com, was identified as the\r\ncallback for an AIRBREAK downloader referencing the Cambodian National Rescue Party.\r\nRedirect Site (Not Malicious) AIRBREAK Downloader AIRBREAK C2\r\nen.freshnewsasia.com/index.php/en/8623-2018-04-26-10-\r\n12-46.html\r\nTOP_NEWS_Japan_to_Support_the_Election.js\r\n(3c51c89078139337c2c92e084bb0904c)\r\n[Figure 4]\r\nchemscalere[.]com\r\niric.gov.kh/LICADHO/Interview-Questions.pdf\r\n[pdf]Interview-Questions.pdf.js\r\n(e413b45a04bf5f812912772f4a14650f)\r\n \r\niric.gov.kh/LICADHO/Interview-Questions.pdf\r\n[docx]Interview-Questions.docx.js\r\n(cf027a4829c9364d40dcab3f14c1f6b7)\r\n \r\nunknown\r\nInterview_Questions.docx.js\r\n(c8fdd2b2ddec970fa69272fdf5ee86cc)\r\nscsnewstoday[.]com\r\natimes.com/article/philippines-draws-three-hard-new-lines-on-china/\r\nPhilippines-draws-three-hard-new-lines-on-china .js\r\n(5d6ad552f1d1b5cfe99ddb0e2bb51fd7)\r\nmlcdailynews[.]com\r\nfacebook.com/CNR.Movement/videos/190313618267633/\r\nCNR.Movement.mp4.js\r\n(217d40ccd91160c152e5fce0143b16ef)\r\nPartyforumseasia[.\r\nTable 1: AIRBREAK downloaders\r\nhttps://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nPage 4 of 7\n\nFigure 4: Decoy document associated with AIRBREAK downloader file TOP_NEWS_Japan_to_Support_the_Election.js\r\nSCANBOX Activity Gives Hints to Future Operations\r\nThe active SCANBOX server, mlcdailynews[.]com, is hosting articles related to the current Cambodian campaign and\r\nbroader operations. Articles found on the server indicate targeting of those with interests in U.S.-East Asia geopolitics,\r\nRussia and NATO affairs. Victims are likely either brought to the SCANBOX server via strategic website compromise or\r\nmalicious links in targeted emails with the article presented as decoy material. The articles come from open-source reporting\r\nreadily available online. Figure 5 is a SCANBOX welcome page and Table 2 is a list of the articles found on the server.\r\nFigure 5: SCANBOX welcome page\r\nCopied Article Topic\r\nArticle Source (Not\r\nCompromised)\r\nhttps://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nPage 5 of 7\n\nLeaders confident yet nervous Khmer Times\r\nMahathir_ 'We want to be friendly with China  \r\nPM urges voters to support CPP for peace  \r\nCPP determined to maintain Kingdom's peace and development  \r\nBun Chhay's wife dies at 60  \r\nCrackdown planned on boycott callers  \r\nFurther floods coming to Kingdom  \r\nKem Sokha again denied bail  \r\nPM vows to stay on as premier to quash traitors  \r\nIran_ Don't trust Trump Fresh News\r\nKim-Trump summit_ Singapore's role  \r\nTrump's North Korea summit may bring peace declaration - but at a cost Reuters\r\nU.S. pushes NATO to ready more forces to deter Russian threat  \r\nus-nato-russia_us-pushes-nato-to-ready-more-forces-to-deter-russian-threat  \r\nInterior Minister Sar Kheng warns of dirty tricks Phnom Penh Post\r\nAnother player to enter market for cashless pay  \r\nDonald Trump says he has 'absolute right' to pardon himself but he's done nothing\r\nwrong - Donald Trump's America\r\nABC News\r\nChina-funded national road inaugurated in Cambodia The Cambodia Daily\r\nKim and Trump in first summit session in Singapore Asia Times\r\nU.S. to suspend military exercises with South Korea, Trump says U.S. News\r\nRainsy defamed the King_ Hun Sen BREAKING NEWS\r\ncambodia-opposition-leader-denied-bail-again-in-treason-case Associated Press\r\nTable 2: SCANBOX articles copied to server\r\nTEMP.Periscope Malware Suite\r\nAnalysis of the malware inventory contained on the three servers found a classic suite of TEMP.Periscope payloads,\r\nincluding the signature AIRBREAK, MURKYTOP, and HOMEFRY. In addition, FireEye’s analysis identified new tools,\r\nEVILTECH and DADBOD (Table 3).\r\nMalware Function Details\r\nhttps://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nPage 6 of 7\n\nEVILTECH Backdoor\r\nEVILTECH is a JavaScript sample that implements a simple RAT with support\r\nfor uploading, downloading, and running arbitrary JavaScript.\r\nDuring the infection process, EVILTECH is run on the system, which then causes\r\na redirect and possibly the download of additional malware or connection to\r\nanother attacker-controlled system.\r\nDADBOD\r\nCredential\r\nTheft\r\nDADBOD is a tool used to steal user cookies.\r\nAnalysis of this malware is still ongoing.\r\nTable 3: New additions to the TEMP.Periscope malware suite\r\nData from Logs Strengthens Attribution to China\r\nOur analysis of the servers and surrounding data in this latest campaign bolsters our previous assessment that\r\nTEMP.Periscope is likely Chinese in origin. Data from a control panel access log indicates that operators are based in China\r\nand are operating on computers with Chinese language settings.\r\nA log on the server revealed IP addresses that had been used to log in to the software used to communicate with malware on\r\nvictim machines. One of the IP addresses, 112.66.188.28, is located in Hainan, China. Other addresses belong to virtual\r\nprivate servers, but artifacts indicate that the computers used to log in all cases are configured with Chinese language\r\nsettings.\r\nOutlook and Implications\r\nThe activity uncovered here offers new insight into TEMP.Periscope’s activity. We were previously aware of this actor’s\r\ninterest in maritime affairs, but this compromise gives additional indications that it will target the political system of\r\nstrategically important countries. Notably, Cambodia has served as a reliable supporter of China’s South China Sea position\r\nin international forums such as ASEAN and is an important partner. While Cambodia is rated as Authoritarian by the\r\nEconomist’s Democracy Index, the recent surprise upset of the ruling party in Malaysia may motivate China to closely\r\nmonitor Cambodia’s July 29 elections.\r\nThe targeting of the election commission is particularly significant, given the critical role it plays in facilitating voting.\r\nThere is not yet enough information to determine why the organization was compromised – simply gathering intelligence or\r\nas part of a more complex operation. Regardless, this incident is the most recent example of aggressive nation-state\r\nintelligence collection on election processes worldwide.\r\nWe expect TEMP.Periscope to continue targeting a wide range of government and military agencies, international\r\norganizations, and private industry. However focused this group may be on maritime issues, several incidents underscore\r\ntheir broad reach, which has included European firms doing business in Southeast Asia and the internal affairs of littoral\r\nnations. FireEye expects TEMP.Periscope will remain a virulent threat for those operating in the area for the foreseeable\r\nfuture.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" ], "report_names": [ "chinese-espionage-group-targets-cambodia-ahead-of-elections.html" ], "threat_actors": [ { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434035, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b543f8f071dd258eccfb2b89442a6a73c2ad00ce.pdf", "text": "https://archive.orkl.eu/b543f8f071dd258eccfb2b89442a6a73c2ad00ce.txt", "img": "https://archive.orkl.eu/b543f8f071dd258eccfb2b89442a6a73c2ad00ce.jpg" } }