A recent cyber-espionage campaign conducted by the China-aligned APT group Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, has been identified as targeting Tibetans across multiple countries and territories. Beginning in September 2023, this operation utilizes a combination of targeted watering hole tactics and supply-chain compromises involving trojanized installers of Tibetan language translation software.
ESET researchers have shed light on the strategic methods employed by the attackers, particularly during the Monlam Festival, an important religious event for Tibetan Buddhism. By compromising the website of the festival organizer, the cybercriminals executed a watering hole attack, specifically directing individuals from certain networks to download malicious software unknowingly.
Additionally, the attackers utilized the festival website and a Tibetan news website, Tibetpost – tibetpost[.]net – as hosts for payloads acquired through the malicious downloads. These payloads included two complete backdoors for Windows systems and an undisclosed number of payloads for macOS, embedded within the trojanized software installers with the aim of further infiltrating victims’ devices.
Evasive Panda’s tactics demonstrate a high level of sophistication, with the deployment of various malicious software tools, including Nightdoor – a previously undocumented backdoor for Windows. This campaign showcases the group’s expertise in deploying downloaders, droppers, and backdoors to compromise networks and target individuals in East Asia.
By exploiting vulnerabilities in web infrastructure and software supply chains, the attackers sought to breach networks and compromise specific targets efficiently. The timing of the operation coinciding with the Monlam Festival indicates a strategic decision to capitalize on the increased online activity during this period.
For a more comprehensive understanding of the campaign, including Indicators of Compromise (IoCs) and samples, interested parties can access the ESET GitHub repository. This repository provides detailed information regarding the cyber-espionage techniques employed by Evasive Panda and offers insights into mitigating the risks associated with such attacks.
As cyber threats continue to evolve, it is imperative for organizations and individuals to remain vigilant and implement robust cybersecurity measures to safeguard against potential attacks. The Evasive Panda campaign serves as a stark reminder of the persistent threat posed by sophisticated cybercriminals and the importance of proactive defense strategies in today’s digital landscape.