One additional victim was also discovered to be located in the country of Nigeria. The majority of the Chinese victims are members of an international NGO that operates in two of the previously mentioned provinces.
Map of China showing where users were targeted The targeted users were located in the Gansu, Guangdong, and Jiangsu provinces, as shown in Figure 1.įigure 1. During our investigation, we discovered that the malicious activity went back to 2020.Ĭhinese users were the focus of this malicious activity, which ESET telemetry shows starting in 2020 and continuing throughout 2021. In January 2022, we discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor.
The group implements its own custom malware framework with a modular architecture that allows its backdoor, known as MgBot, to receive modules to spy on its victims and enhance its capabilities. According to public reports, the group has also targeted unknown entities in Hong Kong, India, and Malaysia. Government entities were targeted in China, Macao, and Southeast and East Asian countries, specifically Myanmar, the Philippines, Taiwan, and Vietnam, while other organizations in China and Hong Kong were also targeted. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. We provide an overview of Evasive Panda’s signature backdoor MgBot and its toolkit of plugin modules.Įvasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012.
0 kommentar(er)
