Skip to content

China-backed APT updates toolkit with new macOS backdoors

  • by
  • 2 min read

China-linked APT group Daggerflow, also known as Evasive Panda or Bronze Highland has returned with a big update to its malware toolkit. These include updated backdoors for Windows and macOS named Nightdoor and Macma respectively. Additionally, researchers have found evidence of their ability to trojanise Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS.

While Macma has previously been documented, researchers have found evidence that it may have been developed by Daggerflow itself. The group has been active for at least a decade and is known for developing and using the MgBot framework, which also powers Macma.

Illustration: suttipun | shutterstock
Illustration: Suttipun | Shutterstock

Macma was first detailed by Google in 2021 but has been in use since at least 2019. Researchers have discovered at least three new versions of the backdoor floating around with abilities including:

  • New logic to collect a file’s system listing, with the new code based on Tree, a publicly available Linux/Unix utility.
  • Updated code to capture audio
  • Code to adjust the size of a created screen capture, which is related to the aspect ratio when resizing the capture
  • Additional debug logging
  • Additional parameterization

Nightdoor, the Windows backdoor found to be used by the group, was already linked to them by ESET researchers in March 2024. It’s based on the al-khaser project, a public codebase developed to avoid detection by identifying virtual machines, sandboxes, and other malware analysis environments. Updated versions of the backdoor analysed by the researchers indicate the ability to connect to OneDrive in addition to its usual feature set, which is either in development or present in other malware versions.

Overall, the new tools highlight the group’s increased capabilities and resources and its ability to create “versions of its tools targeting most major operating system platforms.” The group also seems capable of responding to exposure quickly by updating its toolkit and continuing activity without disruption.

In the News: DeFi exchange dYdX v3 regains control after DNS hijacking attack

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>