Acronis Exposes Sophisticated Cyber Espionage Campaigns Targeting Cambodian Government and Defense Networks
Editor 
New threat intelligence from Acronis reveals how advanced malware, stealth techniques, and trusted software components are being weaponized to infiltrate critical government institutions across Southeast Asia.
Acronis Threat Research Unit (TRU) has uncovered two targeted espionage campaigns aimed at Cambodian Government entities in the defense and public works sectors, revealing the growing sophistication of cyber operations targeting public institutions across Southeast Asia. Detailed in Acronis' latest threat research report, the campaigns leveraged a previously undocumented custom loader dubbed NIGHTFORGE to deploy the Havoc Demon malware framework while evading traditional security controls.
According to the report, the threat cluster, tracked by Acronis as Khmer Shadow, used government themed lure documents delivered through self extracting archives masquerading as legitimate files. The attacks employed DLL sideloading techniques using trusted VMware signed binaries to execute NIGHTFORGE, which subsequently decrypted and launched Havoc Demon directly in memory. Researchers observed that both campaigns targeted Cambodian government organisations, including entities linked to defense and military intelligence operations.
TRU researchers identified several advanced defense evasion techniques within the malware chain, including NTDLL unhooking, Hell's Gate syscall resolution, in-memory payload execution and COM based persistence mechanisms. Despite demonstrating a moderate level of technical sophistication, the operators repeatedly reused infrastructure, payloads and operational methods across campaigns, enabling researchers to identify additional malicious assets and infrastructure linked to the activity cluster.
“The discovery of these espionage campaigns highlights the evolving sophistication of threat actors who increasingly combine advanced malware frameworks with legitimate software components to evade detection and maintain persistence. Organizations must adopt proactive threat hunting, robust endpoint security, and continuous monitoring strategies to stay ahead of these highly targeted attacks.”
— Gerald Beuchelt, Chief Information Security Officer (CISO), Acronis
The report further highlights how threat actors are increasingly blending advanced malware capabilities with trusted software components and legitimate system processes to evade detection and maintain long term access within targeted environments. Acronis assesses with moderate confidence that the activity is espionage motivated and aligned with regional intelligence collection interests in Southeast Asia.
To defend against similar threats, Acronis recommends that organisations strengthen monitoring of trusted applications and software dependencies, implement robust endpoint detection capabilities, continuously assess suspicious persistence mechanisms and maintain proactive threat hunting practices to identify malicious activity before it escalates.
For more information and additional insights, visit:
https://www.acronis.com/en/tru/posts/behind-khmer-shadow-targeted-espionage-against-cambodian-government-entities
About Acronis:
Acronis is a global cyber protection company delivering the only natively integrated cybersecurity, data protection, and infrastructure management platform for managed service providers and IT departments. Acronis solutions are designed to identify, protect, detect, respond, recover and govern IT deployments, ensuring data integrity and business continuity.
A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 60+ countries. Acronis Cyber Platform is available in 26 languages in 150 countries and is used by over 21,000 service providers to protect over 750,000 businesses. Learn more at www.acronis.com.
