Evasive Panda

Threat Actor updated 21 days ago (2024-09-26T20:00:56.979Z)

Download STIX

Preview STIX

Evasive Panda, also known as StormBamboo and DaggerFly, is a threat actor group linked to China, primarily targeting organizations across Asia that have interest in the Chinese state. The group has been observed deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, along with trojanizing official installer packages from a software company. These actions are part of a broader campaign aimed at compromising target organizations through various methods, including DNS poisoning and leveraging legitimate software update channels for malicious purposes. Evasive Panda's signature backdoor, MgBot, along with its toolkit of plugin modules, is a key part of their operations. In August 2023, researchers at Volexity reported that Evasive Panda had successfully compromised an undisclosed internet service provider (ISP) to poison DNS responses for target organizations. This involved using DNS poisoning to host a modified config file indicating a new update was available, resulting in the targeted software downloading an upgrade package from the APT's server that had already been backdoored with malicious code. In one notable incident, applications seeking updates installed malware instead of the intended updates, specifically Macma and Pocostick, both commonly used by Evasive Panda. The Evasive Panda group has also targeted Tibetan nationals in India and the United States, and another related group, dubbed ToddyCat, has targeted groups in Vietnam and Taiwan. In March, experts observed another malware, Suzafk (aka ‘NetMM’, Nightdoor), linked to Evasive Panda. The group continues to evolve its toolset, introducing several new versions of its malware in response to exposure of older variants, indicating an ongoing commitment to internal espionage.

Description last updated: 2024-09-26T19:17:17.057Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Bronze Highland is a possible alias for Evasive Panda. Bronze Highland, also known as Evasive Panda and Daggerfly, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. This threat actor conducts cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, along with specific organ	6
Daggerfly is a possible alias for Evasive Panda. DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is renowned for its use of the custom MgBot malware framework, which it leverages to conduct cyberespionage activities against indi	5

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Backdoor

Windows

Evasive

Eset

Macos

Chinese

AITM

DNS

Espionage

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Mgbot Malware is associated with Evasive Panda. MgBot is a custom malware framework known for its use by the cyber espionage group, Daggerfly. Active for at least a decade, Daggerfly has deployed MgBot in various attacks, demonstrating its ability to uninstall itself, delete files, and collect information about processes. Notably, both MgBot and	Unspecified	5
The Nightdoor Malware is associated with Evasive Panda. Nightdoor is a complex malware attributed to the Evasive Panda Advanced Persistent Threat (APT) group, a China-linked cyber-espionage team. This group has typically focused on surveillance of individuals and organizations in Asia and Africa. The malware was first introduced by the group in 2020 and	Unspecified	4
The MacMa Malware is associated with Evasive Panda. Macma is a malware, first detailed by Google in 2021, that has been used since at least 2019. It is a modular backdoor that supports multiple functionalities such as device fingerprinting, executing commands, screen capture, keylogging, audio capture, and uploading and downloading files. Macma, ofte	Unspecified	3

Source Document References

Information about the Evasive Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	21 days ago	China-linked APT group Salt Typhoon compromised some US ISPs
DARKReading	2 months ago	China's Evasive Panda Attacks ISP to Send Malicious Software Updates
Securityaffairs	2 months ago	Chinese StormBamboo APT compromised ISP to deliver malware
DARKReading	5 months ago	Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact
Securityaffairs	3 months ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	3 months ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
BankInfoSecurity	3 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
CERT-EU	7 months ago	Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	China State-Sponsored Spies Hack Site and Target User Systems in Asia
CERT-EU	7 months ago	APT attacks taking aim at Tibetans – Week in security with Tony Anscombe
CERT-EU	7 months ago	Cyber Briefing: 2024.03.08. 👉 What are the latest cybersecurity… \| by CyberMaterial \| Mar, 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	7 months ago	China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	7 months ago	Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor
CERT-EU	7 months ago	Cyber Security Week in Review: March 8, 2024
CERT-EU	7 months ago	Chinese Panda APT Hacking Websites To Infect Windows And MacOS Users
InfoSecurity-magazine	7 months ago	Evasive Panda Targets Tibet With Trojanized Software
CERT-EU	7 months ago	Evasive Panda leverages Monlam Festival to target Tibetans
DARKReading	7 months ago	China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
ESET	9 months ago	NSPX30: A sophisticated AitM-enabled implant evolving since 2005
ESET	9 months ago	NSPX30: A sophisticated AitM-enabled implant evolving since 2005