A Chinese advanced persistent threat (ATP) actor tracked as Evasive Panda has been observed targeting Tibetans in watering hole and supply chain attacks, cybersecurity firm ESET reports.
Also referred to as Bronze Highland and Daggerfly, Evasive Panda has been active since at least 2012, historically targeting government entities in China, India, and various Asian countries to conduct cyberespionage operations.
Over the past half a year, the APT has been targeting Tibetans in multiple countries in a watering hole attack that leverages the compromised website of the Monlam Festival’s organizer to infect visitors with malware based on their IP addresses.
A script on the website belonging to Indian organization Kagyu International Monlam Trust, which promotes Tibetan Buddhism, verifies the visitor’s IP and serves them a malicious downloader.
Analysis of the script has revealed that users in Australia, India, Hong Kong, Taiwan, and the United States were targeted, including individuals using the Georgia Institute of Technology’s network.
In September 2023, Evasive Panda compromised the website of an Indian company that builds Tibetan language translation applications to disseminate trojanized applications delivering Windows and macOS downloaders. On Windows, the infection would lead to Nightdoor or MgBot (a known Elusive Panda backdoor).
The Nightdoor backdoor has been in use since at least 2020, when it was deployed against an organization in Vietnam. It can collect system and disk drive information, collect information on applications and running processes, create a reverse shell, and manipulate and delete files.
The same site, along with the website of the Tibetan news outlet Tibetpost, was also used to host malicious payloads, including backdoors for Windows and numerous payloads targeting macOS users.
“With high confidence we attribute this campaign to the Evasive Panda APT group, based on the malware that was used: MgBot and Nightdoor. In the past, we have seen both backdoors deployed together, in an unrelated attack against a religious organization in Taiwan,” ESET notes.
As part of the newly identified campaign, Elusive Panda likely leveraged interest in the Monlam festival that was held in January and February 2024 to infect users visiting the festival’s website.
Related: Chinese Cyberspies Delivered Malware via Legitimate Software Updates
Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks
Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon
