Recent OTX Pulse data indicates a coordinated surge in state-sponsored espionage activity across the Asia-Pacific (APAC) region, specifically targeting Pakistan, Vietnam, and Cambodia. Three distinct adversary clusters—TAG-179 (suspected China/India nexus), APT32 (OceanLotus), and Khmer Shadow—are actively conducting cyber operations against government, law enforcement, and critical infrastructure sectors.
The campaigns share common tactical objectives: intelligence gathering via credential theft and persistent access. The attack chains involve compromising internet-facing network appliances (TAG-179), supply-chain manipulation of trading software (APT32), and phishing with self-extracting archives delivering custom loaders (Khmer Shadow). The utilization of sophisticated malware families such as ShadowPad, SPECTRALVIPER, and NIGHTFORGE highlights a high level of operational capability and a focus on evasion.
Threat Actor / Malware Profile
TAG-179 (China/India Nexus)
- Target: Pakistani Law Enforcement (Balochistan Police).
- Malware: PlugX, ShadowPad, Cobalt Strike, Remcos, AsyncRAT.
- Distribution: Initial compromise via network appliances and vulnerable web applications managing criminal records and biometrics.
- Behavior: ShadowPad acts as a modular backdoor allowing for extensive lateral movement. Cobalt Strike is likely used for post-exploitation command and control.
APT32 (OceanLotus)
- Target: Vietnamese Finance, Construction, and Transportation sectors (Domestic targeting).
- Malware: SPECTRALVIPER, Denis, SOUNDBITE, PHOREAL, WINDSHIELD.
- Distribution: Supply-chain attack via the "FireAnt Metakit" stock trading platform.
- Behavior: SPECTRALVIPER is a custom backdoor facilitating data exfiltration. The group leverages DLL side-loading and employs vulnerability exploits (e.g., CVE-2017-11882) for initial execution.
Khmer Shadow
- Target: Cambodian Government (Defense and Public Works).
- Malware: NIGHTFORGE, Havoc Demon, KaynLdr.
- Distribution: Government-themed lures delivered via self-extracting archives (SFX).
- Behavior: NIGHTFORGE is a custom C++ loader utilizing advanced evasion techniques, including NTDLL unhooking and "Hell's Gate" to bypass EDR hooks, eventually loading the Havoc Demon framework.
IOC Analysis
The provided Indicators of Compromise (IOCs) cover a broad spectrum of the attack infrastructure:
- Network Infrastructure (IPv4): Several IPs (e.g.,
172.94.9.19,172.111.233.105) are hosted on infrastructures known for resilient hosting (Voxility, M247). These likely serve as C2 nodes for the ShadowPad and Cobalt Strike components. - Domains: A mix of legitimate-looking but likely compromised domains (
cms.balochistanpolice.gov.pk) and suspicious algorithmically generated domains (cnrp7.org,linkednewsapi.top) used for C2 or payload delivery. - File Hashes: Multiple SHA256 hashes associated with the NIGHTFORGE loader and Havoc Demon samples are critical for endpoint detection.
- Vulnerability: CVE-2017-11882 indicates the use of legacy Office exploits for initial access by APT32.
Operational Guidance: SOC teams should immediately blocklisted the listed IPs and domains. Endpoint detection tools (EDR) should be configured to hunt for the specific file hashes. The domains sharingfile.cloud and linkednewsapi.top should be treated as malicious C2 infrastructure.
Detection Engineering
Sigma Rules
title: Potential NightForge Loader Activity via NTDLL Unhooking
id: 3c2a8e1c-7d1a-4f0e-9b1a-2c3d4e5f6a7b
description: Detects suspicious process access patterns consistent with NTDLL unhooking techniques used by NIGHTFORGE and Havoc Demon.
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6691234567890/
tags:
- attack.defense_evasion
- attack.t1055.001
logsource:
category: process_access
detection:
selection:
TargetImage|endswith: '\ntdll.dll'
GrantedAccess: '0x1F0FFF'
SourceImage|contains:
- '\AppData\Local\Temp\'
- '\Users\Public\'
condition: selection
falsepositives:
- Legitimate security software scanning
level: high
---
title: APT32 SpectralViper C2 Domain Connection
id: 5d3b9f2d-8e2b-4a1c-0c2d-3e4f5a6b7c8d
description: Detects network connections to known domains associated with the APT32 SpectralViper campaign.
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6691234567891/
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'cnrp7.org'
- 'nguoitieudung.com.vn'
- 'anessallie.com'
- 'arkoimmerma.com'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: ShadowPad C2 Infrastructure Connection
id: 6e4c0e3f-9f3c-5b2d-1d3e-4f5a6b7c8d9e
description: Detects outbound connections to IP addresses associated with TAG-179 ShadowPad infrastructure.
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6691234567892/
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: network_connection
detection:
selection:
Initiated: 'true'
DestinationIp|cidr:
- '172.94.9.0/24'
- '172.111.233.0/24'
- '142.171.183.0/24'
condition: selection
falsepositives:
- Rare generic traffic
level: high
KQL (Microsoft Sentinel)
// Hunt for NightForge and APT32 related file hashes and network connections
let IOCs = dynamic([
"03e7a4065df354a99add76e8ba7dd37b", "04e7a98fb3b7738cca42557c3e2d9906d04fa2f6",
"15278c52f4e0d8b5bbfe288a5e826ab2ebeaedb7fb85572940cf1263e384761f",
"1852120a84a328edd1995e633dfd2009867898a8e3f0b385e2490cf21c77a994",
"90bbfa9e7af176b85d110f4f1789cae6777fcb60813b047133c8f12caa344a17",
"b3e853eee14fb7948c6907888ee07139085ba9af4231c30e97ff6236b86ca024",
"cnrp7.org", "nguoitieudung.com.vn", "linkednewsapi.top", "sharingfile.cloud",
"172.94.9.19", "172.111.233.105", "172.111.233.96", "142.171.183.8"
]);
// Check Network Events
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCHit = "Network"
| union (
// Check File Hashes
DeviceFileEvents
| where SHA1 in (IOCs) or MD5 in (IOCs) or SHA256 in (IOCs)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| extend IOCHit = "FileHash"
)
| order by Timestamp desc
PowerShell Hunt Script
# IOC Hunter for Khmer Shadow and APT32 Campaigns
# Checks for specific file hashes and suspicious persistence mechanisms
$TargetHashes = @(
"15278c52f4e0d8b5bbfe288a5e826ab2ebeaedb7fb85572940cf1263e384761f",
"1852120a84a328edd1995e633dfd2009867898a8e3f0b385e2490cf21c77a994",
"90bbfa9e7af176b85d110f4f1789cae6777fcb60813b047133c8f12caa344a17",
"b3e853eee14fb7948c6907888ee07139085ba9af4231c30e97ff6236b86ca024"
)
$SuspiciousPaths = @(
"C:\Users\Public\",
"$env:TEMP",
"$env:APPDATA\Microsoft\Windows\Templates"
)
Write-Host "[+] Scanning for NightForge Loader Hashes..." -ForegroundColor Cyan
foreach ($Path in $SuspiciousPaths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($Hash -in $TargetHashes) {
Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
}
}
}
}
Write-Host "[+] Checking for suspicious Scheduled Tasks (Common in Havoc/NightForge)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {
$_.Actions.Execute -match "powershell" -or
$_.Actions.Execute -match "cmd" -or
$_.Actions.Execute -match "rundll32"
} | Select-Object TaskName, TaskPath, State | Format-Table -AutoSize
# Response Priorities
* **Immediate:** Block all listed IPv4 addresses and domains at the perimeter firewall and proxy servers. Initiate a hunt for the specific SHA256 file hashes provided in the Khmer Shadow pulse across all endpoints.
* **24h:** Isolate any systems identified communicating with the `172.94.9.0/24` or `172.111.233.0/24` ranges. Conduct credential resets for users on compromised hosts, specifically focusing on law enforcement and administrative accounts.
* **1 week:** Patch internet-facing appliances against vulnerabilities leading to web shell uploads (TAG-179 vector). Review supply-chain integrity for third-party software like FireAnt Metakit. Enhance EDR configurations to detect NTDLL unhooking and API hooking evasion techniques.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.