Evasive Panda

Threat Actor updated 19 days ago (2024-11-29T14:16:46.018Z)

Download STIX

Preview STIX

Evasive Panda, also known as StormBamboo, Daggerfly, or Bronze Highland, is a threat actor group linked to China that has been operating since at least 2012. The group primarily focuses on cyber espionage against civil society targets and has demonstrated significant technical capabilities. They have developed and deployed custom implants including MgBot, Nightdoor, CloudScout, and a macOS downloader component. These tools are used in conjunction with each other, with CloudScout working seamlessly with MgBot, Evasive Panda’s signature malware framework. The group acquired servers for the command and control (C&C) infrastructure of these tools, further enhancing their operational capacity. In August, it was reported by Volexity researchers that Evasive Panda successfully compromised an undisclosed internet service provider (ISP) to poison DNS responses for target organizations. This sophisticated approach underscores the group's ability to infiltrate and manipulate network systems. Furthermore, the group's CloudScout toolset stands out due to its professional design and its role in stealing data stored in cloud services. It targets multiple cloud apps, including Google Drive, Gmail, and Outlook, demonstrating the group's interest in cloud-stored documents, user profiles, and emails for its espionage operations. The CloudScout toolset, written in .NET, is designed to retrieve data from various cloud services by leveraging stolen web session cookies. Its seamless integration with MgBot, Evasive Panda’s proprietary malware framework, reveals the group's strategic approach to cyberespionage. A notable incident in 2022 involved the compromise of two machines from a religious institution in Taiwan by Evasive Panda, indicating the group's wide range of targets. Overall, Evasive Panda represents a significant cybersecurity threat with advanced capabilities and a focus on cloud-based data extraction.

Description last updated: 2024-11-11T14:46:39.951Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Bronze Highland is a possible alias for Evasive Panda. Bronze Highland, also known as Evasive Panda and Daggerfly, is a China-linked Advanced Persistent Threat (APT) group that has been active since at least 2012. The group primarily conducts cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, as well as certain organiz	6
Daggerfly is a possible alias for Evasive Panda. DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is recognized for its cyber espionage activities against individuals and organizations in mainland China, Hong Kong, Macao, Nigeria	5
Stormbamboo is a possible alias for Evasive Panda. StormBamboo, also known as Evasive Panda, Daggerfly, or Bronze Highland, is a threat actor group linked to China and has been operational since at least 2012. The group's primary objective is cyberespionage against entities opposing China's interests, including independence movements such as those i	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Backdoor

Malware

Windows

Macos

Chinese

Evasive

DNS

Eset

Downloader

Espionage

AITM

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Mgbot Malware is associated with Evasive Panda. MgBot is a malicious software (malware) discovered by ESET, designed to exploit and damage computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it's capable of stealing personal information, disrupting operations, and	Unspecified	5
The Nightdoor Malware is associated with Evasive Panda. Nightdoor is a sophisticated malware developed by the threat group Evasive Panda. This malicious software, designed to exploit and damage computer systems, was first detected in 2022 alongside MgBot, another custom implant developed by the same group. The primary function of Nightdoor is to infiltra	Unspecified	5
The MacMa Malware is associated with Evasive Panda. Macma is a malware, first detailed by Google in 2021, that has been used since at least 2019. It is a modular backdoor that supports multiple functionalities such as device fingerprinting, executing commands, screen capture, keylogging, audio capture, and uploading and downloading files. Macma, ofte	Unspecified	3

Source Document References

Information about the Evasive Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	a month ago	China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike
Securityaffairs	a month ago	U.S. agency cautions employees to limit phone use due to Salt Typhoon hack of telco providers
DARKReading	2 months ago	China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking
InfoSecurity-magazine	2 months ago	Evasive Panda’s CloudScout Toolset Targets Taiwan
ESET	2 months ago	CloudScout: Evasive Panda scouting cloud services
DARKReading	2 months ago	French ISP Confirms Cyberattack, Data Breach Affecting 19M
Securityaffairs	3 months ago	China-linked APT group Salt Typhoon compromised some US ISPs
DARKReading	4 months ago	China's Evasive Panda Attacks ISP to Send Malicious Software Updates
Securityaffairs	4 months ago	Chinese StormBamboo APT compromised ISP to deliver malware
DARKReading	7 months ago	Pakistani 'Transparent Tribe' APT Aims for Cross-Platform Impact
Securityaffairs	5 months ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	5 months ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
BankInfoSecurity	5 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
CERT-EU	9 months ago	Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	China State-Sponsored Spies Hack Site and Target User Systems in Asia
CERT-EU	9 months ago	APT attacks taking aim at Tibetans – Week in security with Tony Anscombe
CERT-EU	9 months ago	Cyber Briefing: 2024.03.08. 👉 What are the latest cybersecurity… \| by CyberMaterial \| Mar, 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor
CERT-EU	9 months ago	Cyber Security Week in Review: March 8, 2024