HomeCII/OTEvasive Panda utilizes Monlam Festival to reach Tibetans

Evasive Panda utilizes Monlam Festival to reach Tibetans

Published on

spot_img

ESET researchers recently uncovered a sophisticated cyberespionage campaign targeting Tibetans through a strategic web compromise and a supply-chain compromise involving trojanized installers of Tibetan language translation software. The attackers deployed malicious downloaders for Windows and macOS to compromise website visitors with MgBot and a newly discovered backdoor called Nightdoor.

The malicious activity began in September 2023 and has been linked to the China-aligned Evasive Panda APT group, which has a history of targeting individuals and organizations in China, Hong Kong, Macao, Nigeria, and Southeast and East Asia. The group uses a custom malware framework with a modular architecture, allowing its backdoor, MgBot, to receive modules to spy on victims and enhance its capabilities. Evasive Panda has also been known to deliver backdoors via adversary-in-the-middle attacks, hijacking updates of legitimate software.

This recent campaign leveraged the Monlam Festival, a religious gathering, to target Tibetans in various countries and territories. The attackers compromised the website of the festival organizer in India, adding malicious code to create a watering-hole attack targeting users from specific networks. Additionally, a software developer’s supply chain was compromised, and trojanized installers for Windows and macOS were distributed to users.

The compromised website belonging to Kagyu International Monlam Trust in India was used as a watering hole to target users in India, Taiwan, Hong Kong, Australia, and the United States. The attackers inserted a script into the website that checked visitors’ IP addresses and displayed a fake error page prompting users to download a malicious file posing as a certificate. This file was actually a downloader that initiated the next stage of the compromise chain.

Furthermore, the attackers compromised a software development company in India that produces Tibetan language translation software, serving trojanized applications and payloads for Windows and macOS. The attackers also utilized a Tibetan news website, Tibetpost, to host the malicious downloads, including two full-featured backdoors for Windows and additional payloads for macOS.

The watering hole attack involved a sophisticated mechanism to deliver payloads based on the user’s IP address. By brute-forcing the salt used in generating MD5 hashes from IP addresses, researchers were able to identify 74 targeted IP address ranges, primarily in India, Taiwan, Australia, the United States, and Hong Kong. The majority of Tibetan diaspora resides in India, making it a prime target for the attackers.

On Windows systems, victims were served a malicious executable that deployed a side-loading chain to load an intermediate downloader, followed by another stage that delivered the Nightdoor backdoor as the final payload. On macOS, a similar downloader was used to execute the same sequence of malicious activity, ultimately leading to the deployment of Nightdoor.

Nightdoor is a newly discovered backdoor that has not been publicly documented. It is a sophisticated tool used by the attackers to spy on victims and maintain access to compromised systems. The Evasive Panda APT group’s use of Nightdoor in this campaign highlights their advanced capabilities and their ongoing efforts to conduct cyberespionage operations targeting specific individuals and organizations.

In conclusion, the discovery of this cyberespionage campaign targeting Tibetans highlights the ongoing threat posed by sophisticated APT groups like Evasive Panda. The use of watering hole attacks, supply-chain compromises, and custom malware frameworks demonstrates the evolving tactics and techniques employed by malicious actors in cyberspace. ESET researchers continue to monitor and analyze these threats to protect individuals and organizations from cyberattacks.

Source link

Latest articles

Meta’s Smart Glasses Will Disable Camera If Privacy LED Light Is Tampered With or Destroyed

Meta Enhances Privacy Measures for Smart Glasses Meta has recently announced a significant firmware update...

RedWing Android Spyware Rental Service Available on Telegram

RedWing: A New Threat in Android Spyware Linked to Russian Actors Recent investigations by security...

Vidar Stealer and XMRig Miner Operation

Cybercriminals Employ Dual-Monetization Tactics to Steal Data and Mine Cryptocurrency Recent research from Unit 42,...

Top 40 Major Cybersecurity Events of the Week, July 2026

Cybersecurity Newsletter Roundup: Major Incidents from July 6–10, 2026 In its latest edition, the GBHackers...

More like this

Meta’s Smart Glasses Will Disable Camera If Privacy LED Light Is Tampered With or Destroyed

Meta Enhances Privacy Measures for Smart Glasses Meta has recently announced a significant firmware update...

RedWing Android Spyware Rental Service Available on Telegram

RedWing: A New Threat in Android Spyware Linked to Russian Actors Recent investigations by security...

Vidar Stealer and XMRig Miner Operation

Cybercriminals Employ Dual-Monetization Tactics to Steal Data and Mine Cryptocurrency Recent research from Unit 42,...