Nightdoor

Malware updated 19 days ago (2024-11-29T13:46:16.493Z)

Download STIX

Preview STIX

Nightdoor is a sophisticated malware developed by the threat group Evasive Panda. This malicious software, designed to exploit and damage computer systems, was first detected in 2022 alongside MgBot, another custom implant developed by the same group. The primary function of Nightdoor is to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, steal personal information, disrupt operations, and potentially exfiltrate data. Notably, Nightdoor utilizes public cloud services for its command and control (C&C) communications, making it a feature-rich backdoor. Alongside Nightdoor, Evasive Panda also developed other custom implants such as MgBot and CloudScout, with the latter being detected in February 2023. On May 26, 2022, the command and control (C&C) servers for both MgBot and Nightdoor were established. In the same month, the network of a Taiwanese religious institution fell victim to an attack orchestrated using these two malware. A year later, in February 2023, CloudScout modules and the Nightdoor implant were found within a suspected Taiwanese government entity, indicating a broadening of the group's target range. The malware has also been used in attacks against a China-based American NGO, an African telecoms operator in 2023, and in various watering hole attacks. The group's toolkit includes another malware known as Suzafk (also referred to as 'NetMM' or 'Nightdoor'), which was linked to Evasive Panda in March. This variant of Nightdoor is loaded onto newly infected systems alongside legitimate programs like DAEMON Tools Lite, establishing persistence via scheduled tasks. The malware has shown evolution over time, with new variants like a UDP variant of MgBot appearing after the initial UDT variant. The continued development and deployment of these tools underscore Evasive Panda's persistent threat to cyber security.

Description last updated: 2024-10-29T20:15:01.460Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Mgbot is a possible alias for Nightdoor. MgBot is a malicious software (malware) discovered by ESET, designed to exploit and damage computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it's capable of stealing personal information, disrupting operations, and	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Windows

Malware

Evasive

Eset

Apt

Implant

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Evasive Panda Threat Actor is associated with Nightdoor. Evasive Panda, also known as StormBamboo, Daggerfly, or Bronze Highland, is a threat actor group linked to China that has been operating since at least 2012. The group primarily focuses on cyber espionage against civil society targets and has demonstrated significant technical capabilities. They hav	Unspecified	5
The Daggerfly Threat Actor is associated with Nightdoor. DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is recognized for its cyber espionage activities against individuals and organizations in mainland China, Hong Kong, Macao, Nigeria	Unspecified	2

Source Document References

Information about the Nightdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking
ESET	2 months ago	CloudScout: Evasive Panda scouting cloud services
Securityaffairs	5 months ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	5 months ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
InfoSecurity-magazine	5 months ago	Chinese Espionage Group Upgrades Malware to Target All Major OS
BankInfoSecurity	5 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
DARKReading	9 months ago	China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
CERT-EU	9 months ago	Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	China State-Sponsored Spies Hack Site and Target User Systems in Asia
CERT-EU	9 months ago	APT attacks taking aim at Tibetans – Week in security with Tony Anscombe
CERT-EU	9 months ago	Chinese Evasive Panda Targets Tibetans with Nightdoor Backdoor
CERT-EU	9 months ago	China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	Cyber Security Week in Review: March 8, 2024
InfoSecurity-magazine	9 months ago	Evasive Panda Targets Tibet With Trojanized Software
CERT-EU	9 months ago	Evasive Panda leverages Monlam Festival to target Tibetans