Khmer Shadow Espionage Campaign Targets Cambodian Government

Acronis Threat Research Unit has uncovered a previously unreported Khmer Shadow espionage campaign that uses a custom loader to breach Cambodian defense and public works agencies. The threat cluster delivered a new malware family called NIGHTFORGE through spear-phishing emails bearing government-themed lures.

According to Acronis, the campaign shows “espionage-motivated” targeting and “likely aligned with regional intelligence collection interests in Southeast Asia.” Two victims stand out: Cambodia‘s Information Collection Bureau under the Ministry of National Defense and the Ministry of Public Works and Transport.

Weaponizing Legitimate Binaries

The Khmer Shadow espionage campaign begins with a deceptive email. Recipients see a file like “Contact_Letter_To_Ms_Pech_ICB_Cambodia_On_Collaboration.pdf.exe,” which is actually a self-extracting archive hiding malware.

Inside, attackers pack a DLL sideloading attack using a legitimate VMware-signed binary. Acronis explains that “VMwareNamespaceCmd.exe is a legitimate VMware-signed binary that statically imports several functions from vmtools.dll. As a result, Windows automatically loads the malicious DLL before the application begins execution.”

This technique turns a trusted file into a trojan horse. The malicious vmtools.dll acts as the NIGHTFORGE loader, which decrypts and launches a Havoc Demon implant directly in memory leaving no traces on disk.

Advanced Evasion Tactics

The NIGHTFORGE loader includes multiple anti-analysis features. It unhooks NTDLL to bypass malware defenses, uses the Hell’s Gate technique to call Windows APIs covertly via syscalls, and injects shellcode directly into memory.

Persistence is clever too. Rather than a simple registry key, Khmer Shadow establishes persistence by creating a scheduled task called “VMwareNamespace” that blends with legitimate entries.

The final payload Havoc Demon communicates with its command-and-control server over HTTPS, disguising traffic as normal Chrome browser activity. Acronis notes the implant uses “a Chrome user-agent string and standard browser headers” to evade network detection.

Social Engineering That Hits Home

What makes this Khmer Shadow espionage campaign effective is the lure’s credibility. The decoy letter references a supposed “mission in May 2026” and mentions real-sounding organizational details. Acronis observed that the attackers “attempted to incorporate organization-specific details into the lure to enhance its credibility.”

The sender signs off as “Chen Minglong from a Development and Investment Division based in Beijing,” posed as a routine bilateral cooperation message between China and Cambodia. For a defense official, such a document would seem unremarkable exactly the point.

Infrastructure Linkage and Attribution

The Khmer Shadow espionage campaign operated from at least two servers. The primary C2, sharingfile[.]cloud, sits behind Cloudflare protection. A second server, linkednewsapi[.]top, shares identical infrastructure fingerprints, certificates, and response patterns.

Despite the advanced tradecraft, Acronis stopped short of attribution. The firm stated that “we are not attributing this activity to any known actor at this time.” The use of DLL sideloading, for instance, mirrors past APT29 campaigns, but that technique is widely shared across groups.

Still, the focus on Cambodian government targets is unmistakable.

In short, this Khmer Shadow espionage campaign shows how state-aligned operators blend social engineering, custom malware, and infrastructure discipline to pursue intelligence collection against Southeast Asian governments.