In addition, the malware was also hosted on the Cambodian Government's website at a time the domain was compromised.

Once downloaded and opened, the crafted Word document then claims the user's Office version isn't compatible, so they must click a link and permit macro content which executes the Trojan.

KHRAT then deploys additional malicious code payloads, modifies the Windows registry, and creates persistence by forcing Microsoft Word to re-execute the Trojan should a document be reloaded from the most recently used document list.

The Trojan also masks its activities using the legitimate regsvr32.exe program, schedules a range of innocent-looking tasks, and creates calling functions to run JavaScript code.

An interesting aspect of the Trojan found within the dropper code is a link to a blog hosted on the Chinese Software Developer Network (CSDN) website which contains an "almost identical" code sample of a click-tracking system in the malware.

"The JavaScript code in probe_sl.js uses a click-tracking technique, presumably so the actors can monitor who is visiting their site," the researchers note. "It may also be an attempt to control the distribution of later stage malware and tools, by only sending it in response to requests from desired victims or vulnerable systems, and dropping requests from others such as researchers."

Palo Alto Networks believes that the threat actors behind KHRAT have evolved the Trojan to include targeted spear phishing and click-tracking in order to more successfully target victims of interest in Cambodia.

Considering the political nature of the spear phishing emails, the campaigns may have the purpose of spying on political rivals or disrupting political activity.

"This most recent campaign highlights social engineering techniques being used with reference and great detail given to nationwide activities, likely to be forefront of peoples' minds," the researchers say. "We believe this malware, the infrastructure being used, and the TTPs (tactics, techniques, and procedures) highlight a more sophisticated threat actor group, which we will continue to monitor closely."