Goblin Panda (also tracked as 1937CN, Conimes, Cycldek, and MITRE ATT&CK G0078) is a suspected China-aligned cyber-espionage cluster active since at least 2013 and one of the longest-running publicly- tracked China-aligned clusters focused on Southeast Asian victim categories. The cluster's vendor-naming taxonomy is fragmented: "Goblin Panda" is the CrowdStrike-canonical name.
"1937CN" was introduced by FireEye / Mandiant based on operational artifacts and infrastructure indicators tied to 1937CN-themed domains (the name reflects the historical context of the Marco Polo Bridge Incident of July 7, 1937, the start of the Second Sino- Japanese War, and has been speculatively linked to operator- identity political alignment)
"Conimes" is the Kaspersky naming derived from the Conimes downloader implant.
and "Cycldek" is Kaspersky's evolved tracking naming. Modern vendor consensus treats the four naming streams as alternative names for the same operational cluster with substantial victimology and toolkit overlap, though the consolidation question remains analytically open. The cluster is widely assessed to operate in alignment with Chinese state intelligence interests, most commonly framed as MSS (Ministry of State Security) tasking.
the specific MSS bureau has not been formally established. No formal government attribution event has been issued. The cluster's most defining victim signature is sustained Vietnamese government and defense targeting across more than a decade. Continuous operations against Vietnamese ministries of foreign affairs, Communist Party of Vietnam organs, military and defense industrial targets, state-owned oil-and-gas companies (notably PetroVietnam entities), and Vietnamese academic institutions. The Vietnamese focus aligns with sustained PRC strategic interest in Vietnamese government posture toward China-Vietnam bilateral relations and South China Sea disputes , the latter being one of the most consequential ongoing Asia- Pacific maritime territorial disputes. The cluster's sustained Vietnamese targeting represents one of the most operationally consistent single-country focuses among publicly-tracked China- aligned clusters and parallels the Tick / Bronze Butler Japanese focus and the Sea Turtle Turkish-MIT-suspected focus already covered in this corpus. A defining cluster tradecraft signature is sustained use of USBFerry and USBCulprit removable-media-worm components for air-gap traversal and lateral movement in target environments. Kaspersky's June 2020 "Cycldek: Bridging the (air) gap" disclosure documented the tradecraft in detail. The USB-worm capability exploits the USB-media-sharing workflow prevalent in Southeast Asian government environments where air-gapped or partially-isolated networks remain operationally common. The tradecraft is conceptually similar to the removable-media patterns of APT30 / Naikon (already consolidated under naikon.yaml) and Aoqin Dragon (already covered as aoqin_dragon.yaml), making air-gap-traversal-via-removable-media a meaningful regional tradecraft pattern across at least three publicly-tracked China-aligned clusters operating against Southeast Asian targets. Operationally the cluster's toolkit centers on signature implants NewCore RAT (the cluster's central modern Windows backdoor), Sisfader (sibling Windows backdoor), the Conimes downloader (a lightweight initial-stage implant that gave the cluster one of its canonical vendor names), and the Cycldek backdoor. Beyond these signature implants the cluster operates PlugX (a commodity RAT shared across multiple PRC-aligned clusters, PlugX-presence- alone insufficient for cluster attribution), SPLM, USBFerry, USBCulprit, China Chopper webshells, Cobalt Strike Beacon, PoisonIvy, and Mimikatz. The toolkit pattern is moderately diverse for a single-country-focused regional cluster, reflecting sustained capability development across the operational lifespan. Initial-access tradecraft is predominantly spear-phishing with weaponized Office documents (CVE-2012-0158, CVE-2014-1761, CVE-2014-6332, CVE-2017-0199, CVE-2017-11882, CVE-2018-0798, CVE-2018-0802, CVE-2022-30190 Follina) using Vietnamese-language and regional-government-themed lures. The cluster has not demonstrated 0day-development capability and primarily relies on rapid weaponization of disclosed n-day vulnerabilities. A defining operational pattern is sustained tempo alignment with South China Sea political and arbitration events. Notable elevated cluster activity has been documented surrounding the July 2016 Permanent Court of Arbitration ruling in the Philippines vs China case (which rejected China's "nine-dash line" claims), subsequent ASEAN summits with South China Sea agenda items, and bilateral negotiations between China and Southeast Asian claimant states. The summit-and-arbitration- event-anchored targeting pattern is one of the most analytically interesting operational patterns observable in publicly-tracked China-aligned clusters targeting Southeast Asia. A handful of operational notes: First, the cluster's vendor-naming proliferation (Goblin Panda / 1937CN / Conimes / Cycldek) reflects fragmented vendor tracking across multiple years and reporting streams. Modern reporting should default to "Goblin Panda" as the CrowdStrike-canonical name and the MITRE-tracked identifier (G0078). The four primary aliases should be treated as alternative names for the same operational cluster pending any formal disambiguation. Second, the cluster is operationally distinct from Naikon (already covered as naikon.yaml, PLA Unit 78020, broader Southeast Asia and Pacific focus, APT30 consolidated), from Aoqin Dragon (already covered as aoqin_dragon.yaml, decade pre-disclosure, SE Asia/Australia, Mongall+Heyoka USB-worm), and from APT40 / Leviathan (already covered as apt40_leviathan.yaml , maritime/shipping focus, Hainan State Security Department attribution). All four clusters operate against Southeast Asian targets but represent separable operational identities based on toolkit, victim emphasis, and tradecraft. Third, attribution to MSS specifically, though dominant in vendor reporting, has not been confirmed by formal government attribution. Treat the MSS-tasking framing as suspected at the bureau level even though the broader China-aligned framing is vendor-research-consensus high-confidence. Fourth, Vietnamese cybersecurity firm VinCSS has published sustained Vietnamese-language tracking of the cluster's operations , a useful operational data source for defender or researcher work in the Southeast Asian victim space that complements the English-language international-vendor reporting.