China-linked Daggerfly hackers update their toolset, likely after exposure

Avatar

An alleged Chinese government-backed hacking group has made a major update to its toolset and introduced several new versions of its malware, most likely to avoid detection after its older variants were uncovered, according to recent research.

The hackers from the Daggerfly group, also known as Evasive Panda and Bronze Highland, have added to their arsenal a new malware family based on the group’s most popular MgBot malware and a new version of the Macma macOS backdoor.

“Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption,” researchers from Symantec said in a report on Tuesday.

Daggerfly deployed the new tools in a number of recent attacks, including against organizations in Taiwan and a “high-profile international NGO” operating in two Chinese provinces.

The group delivered malware to victims through the messaging software developed by Chinese tech giant Tencent.

Shortly before the NGO attack last April, the hackers targeted an African telecommunications company using, among other tools, MgBot malware.

One of the tools that underwent several updates is a macOS backdoor known as Macma, first documented by Google in 2021.

Macma hasn’t previously been attributed to a specific group, but Symantec said it found evidence suggesting that it was developed by Daggerfly. For example, two variants of the Macma backdoor connected to a command-and-control (C&C) server that was also used by a MgBot dropper, researchers said.

Another addition to Daggerfly’s toolkit is a Windows backdoor dubbed Suzafk, first documented in March 2024 when it was observed being used alongside MgBot. Suzafk was developed using the same shared library as MgBot, Macma and several other Daggerfly tools, Symantec said.

“New findings provide a clearer picture of the capabilities and resources behind Daggerfly,” researchers said. “The group can create versions of its tools targeting most major operating system platforms.”

Symantec said it has seen evidence of the hackers’ ability to infect Android apps, intercept text messages and internet requests, and even target the Solaris operating system with malware.

CybercrimeGovernmentChinaMalwareNation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

China-linked Daggerfly hackers update their toolset, likely after exposure

Next Post

Possible APT28-linked hackers target Ukraine’s scientific institutions

Related Posts

PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released

Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a new zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild. To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP
Avatar
Read More