Goblin Panda – One of the World’s Most Active APTs

Image of word writing text Advanced Persistent Threat. Business concept for unauthorized user gains access to a system Keyboard key Intention to create computer message pressing keypad idea
2 October 2020

When considering global threat actors and the impact these groups can have on different geographical regions and industries, we’d be remiss to not spend some time talking about Goblin Panda, considered by Prevailion to be one of the most active Advanced Persistent Threat (APT) groups in the world today.

According to the Council on Foreign Relations, “This threat actor targets government agencies and entities in the defense and energy sectors in Southeast Asia with an interest in issues related to tensions in the South China Sea.”

Goblin Panda’s Activity

According to Prevailian’s threat intelligence platform, this APT has been active in countries from the US to Asia, including India, Japan, South Korea, Vietnam and Australia as well as throughout Europe, the Middle East and Africa (EMEA).

Prevailion has also observed that Goblin Panda is three times more active than another major Chinese group, Mustang Panda. While it has been widely reported that the APT targets governments, it also targets many different industries and seemingly goes after well known names within those industries. Prevailion has detected that  these industries include well known US tech companies, prominent cybersecurity companies, large telecoms and financial institutions as well as one of the world’s largest oil companies. It has also targeted privacy groups and four large universities in the US. 

Believed to be backed by the Chinese government, Goblin Panda has grown increasingly infamous since it was first identified in 2013. In 2018, multiple reports attributed attacks on Vietnam to the APT. Kaspersky’s 2019 APT Report noted that Cycldek, (also known as Goblin Panda and Conimes) had become notorious for its information stealing and espionage campaigns that target both government entities–such as defense and energy–and the private sector using PlugX and HttpTunnel malware variants, Digital News Asia reported. 

Goblin Panda has also been reported to leverage “a custom-designed stealthy tool called ‘USBCulprit’, which has sophisticated information-leeching capabilities, especially when used on an air-gapped system.” 

Security researchers have warned about the APT’s use of this fairly new espionage tool to target air gapped systems, which reportedly uses rich-text format (RTF) documents to deliver Remote Access Trojans. 

“We believe Goblin Panda to be a sophisticated threat actor with a broader target list than what has been previously revealed,” said Prevailion CEO and Founder Karim Hijazi. “In our own intelligence gathering activities, we have found their activities to be extensive, and not at all limited to Southeast Asia. Private sector CISOs should carefully evaluate their partners and supply chains, not only in Southeast Asia, but also in India, the Middle East and Africa.”

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.