A newly uncovered espionage operation has been quietly targeting government institutions in Cambodia, and the method behind it is as clever as it is alarming.
Threat actors have been abusing a legitimate, digitally signed VMware binary to slip a custom malicious loader called NIGHTFORGE onto victim systems.
This technique, known as DLL sideloading, lets attackers hide behind a trusted application and avoid raising alarms with most security tools.
The campaign, tracked under the name “Khmer Shadow,” appears to be running with a clear focus on intelligence gathering.
Targets include defense-related bodies and public infrastructure agencies in Cambodia, suggesting the goal is regional strategic intelligence rather than financial gain.
The activity points to a well-resourced threat actor with deep knowledge of evasion tactics and clear interest in Southeast Asian geopolitical affairs.
Analysts at Acronis Threat Research Unit (TRU) identified the campaign and noted it as part of two closely related but distinct espionage operations sharing nearly identical tooling and infrastructure.
Acronis TRU said in a report shared with Cyber Security News (CSN) that the activity is espionage-motivated and likely aligned with regional intelligence collection interests in Southeast Asia.
The two campaigns share the same loader, the same final payload, and even the same command-and-control infrastructure, pointing strongly to a single threat cluster that Acronis tracks as Amber Saolao.
Both used government-themed lure documents to trick recipients into launching the infection chain. The consistent reuse of tooling and infrastructure across both campaigns suggests this group has been operating quietly for some time.
What makes this threat particularly notable is the use of a legitimate VMware binary, VmwareSampling.exe, to load malicious code. Because the executable is signed by VMware, most security products would not block or flag it on sight.
Hackers Abuse VMware-Signed Binary
The initial intrusion begins with a compressed archive delivered through phishing.
Inside, victims find a government-themed document designed to resemble a legitimate diplomatic communication, alongside the signed VMware executable and a malicious DLL placed in the same directory.
When the victim runs the executable, it automatically loads the poisoned DLL, which acts as the NIGHTFORGE loader.
NIGHTFORGE is not a simple dropper, as it performs NT DLL unhooking to strip away monitoring hooks placed by security tools on Windows system calls.
It then uses a technique called HellsGate to resolve system call numbers at runtime, completely bypassing the usual API paths that security products watch.
Once evasion is complete, the loader decrypts and injects a Havoc Demon payload directly into memory, leaving no encrypted file trace on disk.
Havoc Demon is an open-source post-exploitation framework commonly used in red team operations but increasingly abused in real attacks.
It gives the operator full remote control over the infected machine, including command execution, file access, and credential harvesting.
The implant communicates with its command-and-control servers over port 443, blending in with ordinary web traffic to slip past network monitoring tools.
Persistence and C2 Infrastructure
Once the implant is active, NIGHTFORGE establishes persistence by creating a scheduled task under the name VmwareSampling, deliberately mirroring the legitimate VMware binary it arrived with.
This naming choice helps the malicious task blend into normal VMware-related entries that administrators might overlook in a task list, reducing the chance of manual detection.
The C2 infrastructure across both campaigns is nearly identical. The domain saornfila[.]loU served as the primary command-and-control address, with traffic routed through a Cloudflare-based reverse proxy to conceal the true origin server.
The actual backend, identified during analysis, was hosted in Ukraine, while a second previously unknown server in the United States was also discovered serving a connected domain.
Acronis researchers recommend that organizations enforce strict controls on DLL loading paths and apply application allowlisting to block unauthorized executables.
Security teams should also monitor scheduled task creation for entries that mimic legitimate software names and configure alerts on processes performing NT DLL map-and-overwrite operations, a reliable indicator of in-memory evasion tied to this loader family.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | saornfila[.]loU | Primary C2 domain used by Havoc Demon implant (both campaigns) |
| Domain | www.saornfila[.]loU | C2 domain variant, linked to Havoc Demon communications |
| Domain | linkknewsapatop | Second campaign C2 domain serving via port 8443 |
| IP Address | 193.150.240.37 | C2 origin server; hosted in Kyiv, Ukraine (SERVERV3 AS#3AMMC) |
| IP Address | 104.192.244.99 | Second C2 server; hosted in Santa Clara, USA (Hosting Solution Ltd) |
| SHA256 | 90bba96afe1b5b8410c4f1649adeb8ca1f04c816c64f46912d5bca890f8b2c0a | ContactLetterToMosPICambodaCollaborationCapex.apax — lure archive (Campaign 1) |
| SHA256 | b34b34310b963fd2901b6e00b0e9a01be6c19d40e68101f0cc1d34ae7f22a4af | CNCContactWorkCambodiaIndustryofPublicWorksandTransport.apx — lure archive (Campaign 2) |
| SHA256 | 90bb…(VictimtoolsSalla DLL) | Malicious sideloaded DLL used to trigger NIGHTFORGE loader |
| SHA256 | 3a33a10901e9ef89eace7834f9c7ce14f590e58bb1b50ec5bd44b4ef1ca5555a | Havoc Demon payload — dropped via BayerLdr |
| File Name | VmwareSampling.exe | Legitimate VMware-signed binary abused for DLL sideloading |
| File Name | victimtoolsalla.dll | Malicious sideloaded DLL executing NIGHTFORGE |
| File Name | ContactLetterToMosPICambodaCollaborationCapex.apax | Phishing lure document/archive (Campaign 1) |
| Scheduled Task | VmwareSampling | Persistence mechanism registered under the VMware binary name |
| Network | Port 443 | Havoc Demon C2 communication port |
| Network | Port 8443 | Second campaign alternative C2 communication port |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
