Daggerfly

Threat Actor updated 21 days ago (2024-09-26T20:01:08.640Z)

Download STIX

Preview STIX

DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is renowned for its use of the custom MgBot malware framework, which it leverages to conduct cyberespionage activities against individuals and organizations in mainland China, Hong Kong, Macao, Nigeria, and other regions. In addition to this, DaggerFly and several other Chinese intrusion sets, such as APT41, Mustang Panda, Tonto Team, and Dark Pink, have been increasingly utilizing a technique called DLL side-loading to load their malware onto targeted machines. In a notable instance between November 2022 and April 2023, DaggerFly conducted a cyber espionage campaign against an African telecommunications organization. This campaign was identified by Symantec, who noted the use of new MgBot plugins during the intrusion. Additionally, Volexity researchers discovered an attack by DaggerFly in mid-2023, where they detected multiple systems becoming infected with malware. The group had successfully compromised an undisclosed Internet Service Provider (ISP) to poison DNS responses for target organizations. DaggerFly's capabilities extend beyond these activities, with evidence pointing towards the ability to Trojanize Android APKs, intercept SMS and DNS requests, and target Solaris OS. The group's resilience is demonstrated by its capacity to quickly update its toolset in response to exposure, ensuring minimal disruption to its espionage activities. Furthermore, DaggerFly's arsenal includes various malware, such as Macma and Mgbot, all of which contain code from a shared library or framework, indicating a sophisticated and coordinated operation.

Description last updated: 2024-09-26T19:17:36.931Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Bronze Highland is a possible alias for Daggerfly. Bronze Highland, also known as Evasive Panda and Daggerfly, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. This threat actor conducts cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, along with specific organ	5
Evasive Panda is a possible alias for Daggerfly. Evasive Panda, also known as StormBamboo and DaggerFly, is a threat actor group linked to China, primarily targeting organizations across Asia that have interest in the Chinese state. The group has been observed deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, al	5
APT41 is a possible alias for Daggerfly. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a threat actor suspected to be linked to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. They have used a variety of sophisticated techniques and malware, including at least 46	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Evasive

Backdoor

Symantec

Macos

Android

Espionage

Windows

DNS

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Mgbot Malware is associated with Daggerfly. MgBot is a custom malware framework known for its use by the cyber espionage group, Daggerfly. Active for at least a decade, Daggerfly has deployed MgBot in various attacks, demonstrating its ability to uninstall itself, delete files, and collect information about processes. Notably, both MgBot and	Unspecified	4
The MacMa Malware is associated with Daggerfly. Macma is a malware, first detailed by Google in 2021, that has been used since at least 2019. It is a modular backdoor that supports multiple functionalities such as device fingerprinting, executing commands, screen capture, keylogging, audio capture, and uploading and downloading files. Macma, ofte	Unspecified	3
The Nightdoor Malware is associated with Daggerfly. Nightdoor is a complex malware attributed to the Evasive Panda Advanced Persistent Threat (APT) group, a China-linked cyber-espionage team. This group has typically focused on surveillance of individuals and organizations in Asia and Africa. The malware was first introduced by the group in 2020 and	Unspecified	2

Source Document References

Information about the Daggerfly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	21 days ago	China-linked APT group Salt Typhoon compromised some US ISPs
DARKReading	2 months ago	China's Evasive Panda Attacks ISP to Send Malicious Software Updates
Securityaffairs	2 months ago	Chinese StormBamboo APT compromised ISP to deliver malware
Securityaffairs	3 months ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	3 months ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
InfoSecurity-magazine	3 months ago	Chinese Espionage Group Upgrades Malware to Target All Major OS
BankInfoSecurity	3 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
CERT-EU	7 months ago	Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor
CERT-EU	7 months ago	Chinese Panda APT Hacking Websites To Infect Windows And MacOS Users
InfoSecurity-magazine	7 months ago	Evasive Panda Targets Tibet With Trojanized Software
CERT-EU	7 months ago	Evasive Panda leverages Monlam Festival to target Tibetans
DARKReading	7 months ago	China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
DARKReading	a year ago	China's 'Evasive Panda' Hijacks Software Updates to Deliver Custom Backdoor
InfoSecurity-magazine	a year ago	Ukraine's CERT-UA Exposes Gamaredon's Rapid Data Theft Methods
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	Alibaba Cloud's PostgreSQL databases impacted by critical bugs
CERT-EU	a year ago	Chinese Cyberspies Delivered Malware via Legitimate Software Updates
CERT-EU	a year ago	Cyber security week in review: April 21, 2023