Evasive Panda

Threat Actor updated 2 months ago (2024-07-23T12:17:39.749Z)
Download STIX
Preview STIX
Evasive Panda, a threat actor group also known as Bronze Highland and Daggerfly, has been identified as a significant cybersecurity threat. This group, believed to be aligned with China, has been deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, using these tools to infiltrate targeted networks by exploiting software vulnerabilities and compromising online platforms. The group's operations have been traced back to at least September 2023, impacting systems in Taiwan, Hong Kong, Australia, and the United States. Their unique use of both known and unknown tools, including the Windows backdoor "Nightdoor" and the exclusive MgBot malware, demonstrates their sophisticated approach to cyber espionage. A notable instance of Evasive Panda's activity involved capitalizing on the Monlam Festival, a major Tibetan Buddhist event. By compromising the festival’s website, they were able to target Tibetans globally in a well-coordinated cyberespionage campaign. They also trojanized official installer packages from a software company, further extending their reach. Their strategic web compromises extend to sites like Kagyu International Monlam Trust, revealing their intent to exploit significant events to target specific communities. Based on the malware used, notably MgBot and Nightdoor, it is highly likely that this campaign is attributed to the Evasive Panda APT group. Evasive Panda has been observed targeting Tibetans in several countries and territories with payloads that included the previously undocumented backdoor named Nightdoor. Furthermore, they have shown an ability to update their tools, as seen with new iterations of Macma that include improved screen capture functionality and new logic to collect a file's system listing. The group's continuous evolution and adaptation underscore the persistent threat they pose to global cybersecurity.
Description last updated: 2024-07-23T12:16:32.097Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Bronze Highland
6
Bronze Highland, also known as Evasive Panda and Daggerfly, is a Chinese-speaking advanced persistent threat (APT) group that has been active since at least 2012. The group conducts cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, along with specific organizations
Daggerfly
5
DaggerFly, also known as Evasive Panda and Bronze Highland, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since 2012. The group is known for its cyberespionage activities targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. In addition to these
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Windows
Evasive
Eset
Macos
Chinese
AITM
DNS
Espionage
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
MgbotUnspecified
5
MgBot is a malicious software (malware) used exclusively by the cyber threat group known as Evasive Panda. This malware, along with another custom-made Windows backdoor called Nightdoor, forms part of the group's toolkit for cyber attacks. These tools are typically delivered via malicious downloader
NightdoorUnspecified
4
Nightdoor is a complex malware attributed to the Evasive Panda APT group, a China-linked cyber-espionage team known for its diverse attack vectors and focus on surveillance of individuals and organizations in Asia and Africa. The malware was introduced by the group in 2020 and has been used alongsid
MacMaUnspecified
3
Macma is a malicious software (malware) first detailed by Google's Threat Analysis Group (TAG) in 2021, although it had been in use since at least 2019. Known as OSX.MacMa or simply Macma, this malware is a backdoor designed to exploit macOS systems, and has been frequently employed by the Evasive P
Source Document References
Information about the Evasive Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
China's Evasive Panda Attacks ISP to Send Malicious Software Updates
Securityaffairs
a month ago
Chinese StormBamboo APT compromised ISP to deliver malware
DARKReading
3 months ago
Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact
Securityaffairs
2 months ago
Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading
2 months ago
China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
BankInfoSecurity
2 months ago
Chinese Cyberespionage Group Expands Malware Arsenal
CERT-EU
6 months ago
Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
China State-Sponsored Spies Hack Site and Target User Systems in Asia
CERT-EU
6 months ago
APT attacks taking aim at Tibetans – Week in security with Tony Anscombe
CERT-EU
6 months ago
Cyber Briefing: 2024.03.08. 👉 What are the latest cybersecurity… | by CyberMaterial | Mar, 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
6 months ago
Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor
CERT-EU
6 months ago
Cyber Security Week in Review: March 8, 2024
CERT-EU
6 months ago
Chinese Panda APT Hacking Websites To Infect Windows And MacOS Users
InfoSecurity-magazine
6 months ago
Evasive Panda Targets Tibet With Trojanized Software
CERT-EU
6 months ago
Evasive Panda leverages Monlam Festival to target Tibetans
DARKReading
6 months ago
China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
ESET
7 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
ESET
7 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
Checkpoint
a year ago
1st May – Threat Intelligence Report - Check Point Research