A newly uncovered espionage operation has been quietly targeting government institutions in Cambodia, and the method behind it is as clever as it is alarming.
Threat actors have been abusing a legitimate, digitally signed VMware binary to slip a custom malicious loader called NIGHTFORGE onto victim systems.
This technique, known as DLL sideloading, lets attackers hide behind a trusted application and avoid raising alarms with most security tools.
The campaign, tracked under the name “Khmer Shadow,” appears to be running with a clear focus on intelligence gathering.
Targets include defense-related bodies and public infrastructure agencies in Cambodia, suggesting the goal is regional strategic intelligence rather than financial gain.
The activity points to a well-resourced threat actor with deep knowledge of evasion tactics and clear interest in Southeast Asian geopolitical affairs.
Analysts at Acronis Threat Research Unit (TRU) identified the campaign and…
