Goblin Panda – One of the World’s Most Active APTs

Image of word writing text Advanced Persistent Threat. Business concept for unauthorized user gains access to a system Keyboard key Intention to create computer message pressing keypad idea
2 October 2020

When considering global threat actors and the impact these groups can have on different geographical regions and industries, we’d be remiss to not spend some time talking about Goblin Panda, considered by Prevailion to be one of the most active Advanced Persistent Threat (APT) groups in the world today.

According to the Council on Foreign Relations, “This threat actor targets government agencies and entities in the defense and energy sectors in Southeast Asia with an interest in issues related to tensions in the South China Sea.”

Goblin Panda’s Activity

According to Prevailian’s threat intelligence platform, this APT has been active in countries from the US to Asia, including India, Japan, South Korea, Vietnam and Australia as well as throughout Europe, the Middle East and Africa (EMEA).

Prevailion has also observed that Goblin Panda is three times more active than another major Chinese group, Mustang Panda. While it has been widely reported that the APT targets governments, it also targets many different industries and seemingly goes after well known names within those industries. Prevailion has detected that  these industries include well known US tech companies, prominent cybersecurity companies, large telecoms and financial institutions as well as one of the world’s largest oil companies. It has also targeted privacy groups and four large universities in the US. 

Believed to be backed by the Chinese government, Goblin Panda has grown increasingly infamous since it was first identified in 2013. In 2018, multiple reports attributed attacks on Vietnam to the APT. Kaspersky’s 2019 APT Report noted that Cycldek, (also known as Goblin Panda and Conimes) had become notorious for its information stealing and espionage campaigns that target both government entities–such as defense and energy–and the private sector using PlugX and HttpTunnel malware variants, Digital News Asia reported. 

Goblin Panda has also been reported to leverage “a custom-designed stealthy tool called ‘USBCulprit’, which has sophisticated information-leeching capabilities, especially when used on an air-gapped system.” 

Security researchers have warned about the APT’s use of this fairly new espionage tool to target air gapped systems, which reportedly uses rich-text format (RTF) documents to deliver Remote Access Trojans. 

“We believe Goblin Panda to be a sophisticated threat actor with a broader target list than what has been previously revealed,” said Prevailion CEO and Founder Karim Hijazi. “In our own intelligence gathering activities, we have found their activities to be extensive, and not at all limited to Southeast Asia. Private sector CISOs should carefully evaluate their partners and supply chains, not only in Southeast Asia, but also in India, the Middle East and Africa.”

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.