Chinese state-backed threat actor Evasive Panda, also known as Bronze Highland and Daggerfly, has been identified as the mastermind behind a series of cyber attacks targeting Tibetan users through watering hole and supply chain strategies since September 2023. The main objective of these attacks is to distribute malicious downloaders for both Windows and macOS systems, including the deployment of a known backdoor called MgBot and a newly uncovered Windows implant known as Nightdoor.
According to the cybersecurity firm ESET, at least three websites were compromised by the attackers to carry out watering hole attacks, along with a supply-chain compromise of a Tibetan software company. The operation was only discovered in January 2024, highlighting the stealthy and sophisticated nature of these attacks.
Evasive Panda, a threat actor with a history dating back to 2012, has previously been linked to cyber attacks targeting an international non-governmental organization (NGO) in Mainland China using MgBot, as disclosed by ESET in April 2023. This recent campaign represents an expansion of their targets and tactics, focusing on infiltrating Tibetan communities and organizations.
Symantec, a cybersecurity firm owned by Broadcom, also released a report implicating Evasive Panda in a cyber espionage campaign aimed at telecom services providers in Africa since November 2022. This further underscores the extensive reach and persistent nature of the threat actor’s operations in various regions.
The specific target of the latest cyber assaults was the Kagyu International Monlam Trust’s website, where attackers placed a script to identify and target users within certain IP address ranges. By enticing users to download a fake “fix” named certificate, the attackers were able to initiate the deployment of malicious payloads, including the Nightdoor implant.
It is suspected that Evasive Panda took advantage of the annual Kagyu Monlam Festival in India to target Tibetan communities globally. The malicious executable files, named “certificate.exe” for Windows and “certificate.pkg” for macOS, served as a gateway for launching the Nightdoor implant, leveraging the Google Drive API for command-and-control operations.
In a notable move, the attackers also compromised an Indian software company’s website and supply chain to distribute trojanized installers of Tibetan language translation software for Windows and macOS. This supply-chain compromise dates back to September 2023, revealing the long-term planning and coordination involved in these attacks.
The campaign also involved the use of Tibetan news websites to host malicious payloads, including backdoors for Windows and macOS systems. The trojanized Windows installer triggers a complex multi-stage attack sequence, deploying MgBot or Nightdoor backdoors with advanced capabilities for gathering system information, spawning reverse shells, and executing various operations on the compromised system.
ESET researchers highlighted the significance of the Nightdoor implant as a recent addition to Evasive Panda’s arsenal, indicating a continuous evolution of their tactics and tools to target networks in East Asia and beyond. This ongoing campaign underscores the persistent threat posed by state-backed actors like Evasive Panda to organizations and communities vulnerable to cyber attacks.
As more details emerge about these cyber attacks, it is essential for organizations and individuals to stay vigilant, update their security measures, and be cautious of suspicious activities that could indicate a potential compromise. The proactive approach to cybersecurity is crucial in mitigating the risks posed by sophisticated threat actors like Evasive Panda.