TLDR

– Chinese Panda APT group, Evasive Panda, has been conducting cyberespionage since 2012 targeting individuals mainly in China, Hong Kong, Macao, and Nigeria.

– The group uses custom malware frameworks like MgBot and Nightdoor to infect Windows and MacOS users through supply-chain compromises and strategic web compromises.

Chinese Panda APT Hacking Websites To Infect Windows And MacOS Users

Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, is a Chinese-speaking APT group that has been active since 2012. They have been conducting cyberespionage targeting individuals in China, Hong Kong, Macao, and Nigeria. Southeast and East Asian governments, including those in China, Macao, Myanmar, the Philippines, Taiwan, and Vietnam, were also targeted by the group.

Since 2020, Evasive Panda has been using adversary-in-the-middle attacks to spread their backdoors by obtaining updates from legitimate software. The group uses a custom malware framework with modular architecture that allows their backdoor, MgBot, to spy on victims and enhance its capabilities.

The cyberespionage campaign targeted Tibetans since September 2023, using a supply-chain compromise to distribute trojanized installers of software and a targeted watering hole owned by the Kagyu International Monlam Trust. The attackers used scripts on the website to check IP addresses of potential victims and infect them with MgBot and Nightdoor backdoors. They took advantage of the Monlam festival to compromise individuals who visited the hacked website.

The attackers deployed various downloaders, droppers, and backdoors, including Nightdoor, to target networks in East Asia. MgBot provides attackers with extensive information about compromised machines, and Nightdoor communicates with its C&C server using Google Drive API or UDP.