cyber attack

Cycldek’s espionage activities against the Vietnamese government

Researchers discovered an advanced cyber espionage campaign against Vietnamese government and military entities. The campaign provided FoundCore, a remote access tool used to perform espionage activities. This malware allows to perform file system control, process control, screenshot capture, and arbitrary Command execution and other functions. Through further analysis, the attack was attributed to the Cycldek group with a moderate degree of confidence.

The Cycldek group has been active since 2013 and is known for targeting the governments of Southeast Asian countries and their preference for Vietnam’s goals.

The attack took place between June 2020 and January 2021. According to telemetry data, about dozens of groups were affected. 80% of these groups are located in Vietnam and belong to the government or military departments. Other groups are related to health. , Related to diplomacy, education or politics. In addition, some targets have been found in Central Asia and Thailand.

The attacker uses the legitimate component FINDER.exe (Microsoft Outlook) to load the malicious library outlib.dll file, which is used to hijack the expected execution flow of the program to decode and run the shellcode, and place it in the rdmin.src binary file. After decoding The is actually a remote control access tool named “FoundCore”. The infection process is as follows:


According to the researcher, in the recent attack, the attacker also downloaded two other types of malware called DropPhone and CoreLoader. The former collects environmental information from the victim machine and sends it to DropBox, and the latter runs code to evade detection by security products. The researchers also observed that CoreLoader and FoundCore overlapped with the RedCore Loader used by the Cycldek group in terms of code, and the goals targeted by the Cycldek group were consistent with this action. Therefore, the researchers attributed the attack to Cycldek with a moderate degree of confidence.


No matter which group planned this operation, it has shown that it has greatly improved its complexity. The tool chain used in the attack is deliberately divided into a series of interdependent components that function as a whole. It is difficult (and sometimes impossible) to analyze individual components because they rely on code or data provided by other stages in the infection chain.