Threat Actor: Goblin Panda


Active since 2014, Goblin Panda is a threat actor that is focused on interests in Southeast Asia. Goblin Panda has been documented by various organizations, including Fortinet, over the past several years. Due to non-standardized naming conventions within the industry, Goblin Panda is also known as APT 27, Hellsing, Cycledek, and perhaps 1937CN. Goblin Panda is primarily active in South and Southeast Asia, with activity seen primarily in Cambodia, Indonesia, Philippines, Myanmar, Malaysia, Thailand, and Vietnam. India has also been targeted in the past, albeit in limited numbers.

Not much has been documented on this group for various reasons. This is primarily due the fact that its tactics, techniques, and procedures have evolved over the years, and also because rather than engaging in the sort of broad-brush attacks most cybercriminal gangs engage in, their targets and campaigns have been quite specific in nature. We hope that the information contained within our playbook is informative for responders who encounter one of their attacks, or for anyone interested in Goblin Panda.

Favorite methodologies of Goblin Panda include the use of remote access Trojans, including the infamous PlugX/Korplug, NewCore, and Sisfader RAT tools. Distribution of infected samples are often used by attackers such as Goblin Panda through weaponized Microsoft Office documents containing malicious macros, or by exploiting known vulnerabilities - most recently CVE-2012-0158 and CVE-2017-11882.

For more information on the TTPs used by Goblin Panda, read the blog listed in the appendix and go to our Playbook Viewer and select Goblin Panda from the menu.