VMware-Signed Binary Abused to Deploy NIGHTFORGE Loader in Cambodian Espionage Campaign
The Khmer Shadow campaign targets Cambodian government agencies using a VMware-signed binary to DLL-sideload the NIGHTFORGE loader, which deploys Havoc Demon for espionage.
A sophisticated espionage operation known as 'Khmer Shadow' has been targeting government and defense agencies in Cambodia, employing a clever technique that leverages a legitimate VMware-signed binary to deliver a custom malware loader. Discovered by Acronis Threat Research Unit (TRU), the campaign uses a technique called DLL sideloading, where the trusted executable VmwareSampling.exe loads a malicious DLL placed in the same directory, bypassing many security products that would otherwise flag unsigned or unknown binaries. The campaign is part of a broader threat cluster tracked as Amber Saolao, which includes a related operation sharing identical tooling and infrastructure.
The initial infection begins with a phishing email containing a compressed archive. Inside, victims find a government-themed lure document, often disguised as a diplomatic communication, alongside the signed VMware executable and the malicious DLL. When the victim runs the executable, it loads the DLL, which acts as the NIGHTFORGE loader. Unlike simple droppers, NIGHTFORGE is designed for deep evasion: it performs NT DLL unhooking to remove monitoring hooks placed by security tools on Windows system calls, and uses HellsGate, a technique that resolves system call numbers at runtime, completely bypassing standard API paths that security products monitor.
Once evasion is complete, the loader decrypts and injects a Havoc Demon post-exploitation payload directly into memory. Havoc Demon is an open-source framework commonly used in red teaming, but here it gives attackers full remote control over the infected machine, including command execution, file access, and credential harvesting. The implant communicates with its command-and-control (C2) servers over port 443, blending in with ordinary web traffic to avoid network monitoring. The C2 infrastructure relies on the domain saornfila[.]loU, routed through a Cloudflare-based reverse proxy to conceal the true origin server, which was identified as being hosted in Ukraine.
Persistence is maintained through a scheduled task named VmwareSampling, deliberately mirroring the legitimate VMware binary name to avoid raising suspicion. Security teams are advised to monitor for scheduled task creation that mimics legitimate software names and to enforce application allowlisting to block unauthorized executables. The two related campaigns, Khmer Shadow and Amber Saolao, both target Cambodian entities with nearly identical tooling, suggesting a well-resourced threat actor with a clear focus on regional strategic intelligence in Southeast Asia.
The attack highlights the growing sophistication of espionage groups that abuse trusted software signatures to evade detection. As organizations increasingly rely on application allowlisting and trust-in-binary approaches, such sideloading techniques present a significant challenge for defenders. Acronis researchers have provided a comprehensive set of indicators of compromise (IoCs), including the C2 domains, the malicious DLL hashes, and the Havoc Demon payload hashes, to help organizations detect and block this ongoing threat.