Skip to content

Chinese hacker group targets Taiwan and US NGO with new toolkit

  • by
  • 2 min read

Daggerfly, a Beijing-affiliated state-sponsored hacking group, used a new set of malware tools to target organisations in Taiwan and a U.S. non-government organisation.

The state-sponsored group, also known as Bronze Highland and Evasive Panda, was previously seen using the MgBot malware in association with an intelligence-gathering mission targeted towards telecom service providers in Africa. The group is known to be active since 2012.

In a report published today, Symantec’s Threat Hunter Team said that the recent campaign is a sign that Daggerfly also engages in “internal espionage.” In the attack, the group exploited a flaw in an Apache HTTP server to send its MgBot malware.

The company has noted Daggerfly as efficiently updating its toolset to continue espionage activities with minimal disruption. The new set of attacks is categorised by using a new malware family based on MgBot alongwith an improved version of MACMA, a known Apple macOS malware. It was first uncovered by Google’s Threat Analysis Group in November 2021, which abused security flaws in the Safari browser to target internet users in Hong Kong.

While MACMA was linked to advanced persistent threat activity, it has not yet been linked to any specific group. Symantec found evidence which suggests that it is a part of Daggerfly’s toolkit.

MACMA’s connection to the group originates from the source code overlap between the malware and MgBot and its function to connect to a command-and-control server (103.243.212[.]98) used by MgBot dropper.

The hacker group, primarily known for developing and using the MgBot framework, has a new malware, Nightdoor. This implant uses the Google Drive API to obtain command and control. It has been used in watering hole attacks, which have targeted Tibetan users since at least September 2023.

The company’s new findings stated that Daggerfly can create versions of its tools that can target most major operating system platforms. The group can also create trojans, Android APKs, SMS and DNS request interception tools, and malware families that target Solaris OS.

In the News: Cybercrooks exploit blockchain protocols to conduct scams

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>