Khmer Shadow Hackers Abuse VMware-Signed Binary to Deploy NIGHTFORGE Loader

Acronis researchers have uncovered two espionage campaigns targeting Cambodian government organizations, with attackers using a legitimate VMware-signed binary to sideload a custom loader called NIGHTFORGE.

The campaigns, tracked as Khmer Shadow by Acronis Threat Research Unit, focused on entities in Cambodia’s defense and public works sectors. Acronis assesses with moderate confidence that the activity supports regional intelligence collection in Southeast Asia.

The attackers used government-themed self-extracting archives to deliver the malware. Once opened, the archive launched a signed VMware executable, which then loaded a malicious DLL from the same folder and started the NIGHTFORGE infection chain.

Attackers Used DLL Sideloading to Hide Behind VMware

The core technique in the campaign is DLL sideloading, a known method where attackers place a malicious DLL next to a trusted executable so the legitimate program loads the attacker’s code. The MITRE ATT&CK entry for DLL side-loading describes this as a way to execute a malicious payload through a legitimate application.

In this case, the trusted file was VMwareNamespaceCmd.exe, a legitimate VMware-signed binary. The malicious file was vmtools.dll, which exported functions expected by the VMware executable and allowed the loader to run under the context of a trusted process.

Microsoft’s DLL search order documentation explains that Windows follows specific rules when locating dynamic-link libraries. Attackers often abuse those rules when a program can be forced to load a DLL from a directory they control.

Campaign detail	Confirmed information
Threat cluster	Khmer Shadow
Targets	Cambodian defense and public works entities
Initial delivery	Government-themed self-extracting archives
Legitimate binary abused	VMwareNamespaceCmd.exe
Malicious DLL	vmtools.dll
Custom loader	NIGHTFORGE
Final payload	Havoc Demon

NIGHTFORGE Loads Havoc Demon in Memory

NIGHTFORGE acts as the custom loader in the attack chain. After the VMware binary loads vmtools.dll, the loader decrypts shellcode from a companion file and executes the next stage directly in memory.

Acronis says the loader uses NTDLL unhooking and Hell’s Gate syscall resolution, two techniques commonly associated with defense evasion. These methods can help malware avoid user-mode monitoring and reduce the chance that endpoint tools will catch common API activity.

The final payload is Havoc Demon. MITRE ATT&CK describes Havoc as an open-source post-exploitation command-and-control framework that multiple threat actors have adopted to maintain control over compromised systems.

Two Cambodian Government Lures Shared the Same Tooling

The first lure appeared as Contact_Letter_To_Ms_Pech_ICB_Cambodia_On_Collaboration.pdf.exe. Acronis tied it to Cambodia’s Information Collection Bureau under the Ministry of National Defense based on the archive name, decoy document content, and named recipient.

A second sample, named CN_Contact_Work_Cambodia’s_Ministry_of_Public_Works_and_Transport.pdf, targeted the Ministry of Public Works and Transport. It reused the same sideloading chain and file structure, but it did not include the same decoy document.

The repeated use of the same loader, payload, and infrastructure helped researchers connect the two operations. The campaign showed strong evasion work but weaker operational security because the attacker reused key assets across targets.

Persistence Used a VMware-Themed Scheduled Task

After execution, NIGHTFORGE established persistence through Windows Task Scheduler. The loader registered a scheduled task named VMwareNamespace, matching the VMware theme of the malware chain.

This naming choice helped the task blend into a system where VMware-related entries might not look suspicious at first glance. Acronis says the task used a start boundary set to 2010-01-01T00:00:00 and repeated every 10 minutes for one day.

The Acronis report also found that the loader staged files under %LOCALAPPDATA%\VMwareNamespace\, another sign that the operator tried to make the activity look VMware-related.

C2 Infrastructure Points to Reused Assets

The Havoc Demon payload communicated with www[.]sharingfile[.]cloud over HTTPS on port 443. Acronis also identified linkednewsapi[.]top on port 8443 as a related domain through JARM fingerprinting and matching server characteristics.

The known origin servers were 193[.]169[.]240[.]38 in Kyiv, Ukraine, and 104[.]193[.]255[.]99 in Santa Clara, United States. Both used similar response patterns and Cloudflare Origin Certificates, which supported the link between the two infrastructure nodes.

That overlap gave defenders useful detection opportunities. Even when attackers hide behind Cloudflare or signed binaries, reused infrastructure, repeated filenames, and scheduled task patterns can still expose the campaign.

Indicator type	Indicator
Domain	www[.]sharingfile[.]cloud
Domain	linkednewsapi[.]top
IP address	193[.]169[.]240[.]38
IP address	104[.]193[.]255[.]99
Scheduled task	VMwareNamespace
Persistence path	%LOCALAPPDATA%\VMwareNamespace\
Malicious DLL	vmtools.dll
Legitimate executable	VMwareNamespaceCmd.exe

Defenders Should Watch for Trusted Binary Abuse

The Khmer Shadow campaign shows why signed software alone cannot guarantee trust. A valid signature on the executable does not protect the system if attackers can place a malicious DLL where the executable will load it.

Security teams should monitor for trusted binaries running from unusual directories, especially when paired with unexpected DLLs. The MITRE technique page also recommends treating DLL side-loading as an execution-flow hijack that can support persistence, privilege abuse, or defense evasion.

Admins can reduce exposure by applying application allowlisting, limiting write access to directories used by trusted binaries, and hunting for scheduled tasks that mimic legitimate vendor names. Microsoft’s DLL search order guidance can help engineering teams review risky loading behavior in internal and third-party applications.

• Alert on VMwareNamespaceCmd.exe running from temporary or user-writable locations.
• Hunt for vmtools.dll outside legitimate VMware Tools directories.
• Review scheduled tasks named VMwareNamespace or other vendor-like names created by unusual processes.
• Monitor for NTDLL overwrite behavior and direct syscall patterns.
• Block or monitor connections to www[.]sharingfile[.]cloud and linkednewsapi[.]top.
• Restrict execution of self-extracting archives from email and download folders.

Khmer Shadow Remains Unlinked to a Known APT

Acronis does not currently attribute Khmer Shadow to a known threat actor. The researchers say the targeting, lure design, and infrastructure point to an espionage-focused operation in Southeast Asia, but the tooling does not closely match a previously documented cluster.

The use of Havoc also complicates attribution because the framework is public and can be used by different actors. In this case, the stronger evidence comes from victimology, shared infrastructure, malware reuse, and lure themes rather than the final payload alone.

For Cambodian government agencies and organizations involved in regional policy, defense, logistics, or public infrastructure, the campaign is a reminder to review phishing controls, endpoint telemetry, and trusted binary execution paths.

FAQ