Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Cyberspies Target Tibetans via Watering Hole, Supply Chain Attacks

Chinese APT Evasive Panda compromises a software developer’s supply chain to target Tibetans with malicious downloaders.

A Chinese advanced persistent threat (ATP) actor tracked as Evasive Panda has been observed targeting Tibetans in watering hole and supply chain attacks, cybersecurity firm ESET reports.

Also referred to as Bronze Highland and Daggerfly, Evasive Panda has been active since at least 2012, historically targeting government entities in China, India, and various Asian countries to conduct cyberespionage operations.

Over the past half a year, the APT has been targeting Tibetans in multiple countries in a watering hole attack that leverages the compromised website of the Monlam Festival’s organizer to infect visitors with malware based on their IP addresses.

A script on the website belonging to Indian organization Kagyu International Monlam Trust, which promotes Tibetan Buddhism, verifies the visitor’s IP and serves them a malicious downloader.

Analysis of the script has revealed that users in Australia, India, Hong Kong, Taiwan, and the United States were targeted, including individuals using the Georgia Institute of Technology’s network.

In September 2023, Evasive Panda compromised the website of an Indian company that builds Tibetan language translation applications to disseminate trojanized applications delivering Windows and macOS downloaders. On Windows, the infection would lead to Nightdoor or MgBot (a known Elusive Panda backdoor).

The Nightdoor backdoor has been in use since at least 2020, when it was deployed against an organization in Vietnam. It can collect system and disk drive information, collect information on applications and running processes, create a reverse shell, and manipulate and delete files.

The same site, along with the website of the Tibetan news outlet Tibetpost, was also used to host malicious payloads, including backdoors for Windows and numerous payloads targeting macOS users.

Advertisement. Scroll to continue reading.

“With high confidence we attribute this campaign to the Evasive Panda APT group, based on the malware that was used: MgBot and Nightdoor. In the past, we have seen both backdoors deployed together, in an unrelated attack against a religious organization in Taiwan,” ESET notes.

As part of the newly identified campaign, Elusive Panda likely leveraged interest in the Monlam festival that was held in January and February 2024 to infect users visiting the festival’s website.

Related: Chinese Cyberspies Delivered Malware via Legitimate Software Updates

Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks

Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.