Goblin Panda – One of the World’s Most Active APTs

When considering global threat actors and the impact these groups can have on different geographical regions and industries, we’d be remiss to not spend some time talking about Goblin Panda, considered by Prevailion to be one of the most active Advanced Persistent Threat (APT) groups in the world today.

According to the Council on Foreign Relations, “This threat actor targets government agencies and entities in the defense and energy sectors in Southeast Asia with an interest in issues related to tensions in the South China Sea.”

Goblin Panda’s Activity

According to Prevailian’s threat intelligence platform, this APT has been active in countries from the US to Asia, including India, Japan, South Korea, Vietnam and Australia as well as throughout Europe, the Middle East and Africa (EMEA).

Prevailion has also observed that Goblin Panda is three times more active than another major Chinese group, Mustang Panda. While it has been widely reported that the APT targets governments, it also targets many different industries and seemingly goes after well known names within those industries. Prevailion has detected that  these industries include well known US tech companies, prominent cybersecurity companies, large telecoms and financial institutions as well as one of the world’s largest oil companies. It has also targeted privacy groups and four large universities in the US. 

Believed to be backed by the Chinese government, Goblin Panda has grown increasingly infamous since it was first identified in 2013. In 2018, multiple reports attributed attacks on Vietnam to the APT. Kaspersky’s 2019 APT Report noted that Cycldek, (also known as Goblin Panda and Conimes) had become notorious for its information stealing and espionage campaigns that target both government entities–such as defense and energy–and the private sector using PlugX and HttpTunnel malware variants, Digital News Asia reported. 

Goblin Panda has also been reported to leverage “a custom-designed stealthy tool called ‘USBCulprit’, which has sophisticated information-leeching capabilities, especially when used on an air-gapped system.” 

Security researchers have warned about the APT’s use of this fairly new espionage tool to target air gapped systems, which reportedly uses rich-text format (RTF) documents to deliver Remote Access Trojans. 

“We believe Goblin Panda to be a sophisticated threat actor with a broader target list than what has been previously revealed,” said Prevailion CEO and Founder Karim Hijazi. “In our own intelligence gathering activities, we have found their activities to be extensive, and not at all limited to Southeast Asia. Private sector CISOs should carefully evaluate their partners and supply chains, not only in Southeast Asia, but also in India, the Middle East and Africa.”