Chinese Espionage Group Upgrades Malware to Target All Major OS

Prolific Chinese espionage group Daggerfly (aka Evasive Panda, Bronze Highland) has extensively updated its malware toolkit, increasing its abilities to target most major operating systems (OS), according to an analysis by Symantec.

The latest developments suggest the group is using a shared framework to enable it to effectively target Windows, Linux, macOS and Android OS.

The researchers observed the group deploying new malware versions in recent attacks against organizations in Taiwan and a US NGO based in China.

Daggerfly Explained

Daggerfly is a Chinese APT group that has been active for at least a decade, conducting espionage operations both internationally and internally within China.

The group is primarily known for its development and use of the MgBot malware framework, which has a range of information-gathering capabilities.

In April 2023, Symantec reported on a Daggerfly campaign targeting a telecoms organization in Africa, in which the group used new plugins created with the MgBot malware framework.

In March 2024, ESET highlighted ongoing Daggerfly campaigns targeting Tibetans across various countries and territories. The researchers observed the group’s use of a previously undocumented backdoor called Nightdoor.

“Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption,” wrote Symantec in the new analysis, published on July 23, 2024.

Latest Updates to Daggerfly’s Arsenal

Symantec said it has found evidence suggesting the macOS backdoor Macma was developed by Daggerfly. Macma was first documented by Google in 2021 but appears to have been in use since at least 2019.

Google’s initial analysis highlighted that modular backdoor has a range of functionalities designed for data exfiltration, including device fingerprinting, executing commands, screen capture, keylogging, audio capture and uploading and downloading files.

A second version of Macma contains incremental updates to this existing functionality, including additional debug logging and updated modules in its appended data.

Its main module exhibited evidence of more extensive modification, including new logic to collect a file’s system listing and modified code in the AudioRecorderHelper feature.

Symantec has attributed Macma to Daggerfly after observing two variants of the Macma backdoor connected to a command-and-control (C&C) server that was also used by an MgBot dropper.

Additionally, Macma and other known Daggerfly malware including Mgbot all contain code from a single, shared library or framework, elements of which have been used to build Windows, macOS, Linux, and Android threats.

The researchers also highlighted Daggerfly’s use of Windows backdoor Suzafk, which ESET first documented as Nightdoor in March 2024.

Suzafk is a multi-staged backdoor capable of using TCP or OneDrive for C&C. It was developed using the same shared library used in Mgbot, Macma, and a number of other Daggerfly tools.

The researchers observed a configuration indicating that the functionality to connect to OneDrive is in development or present in other variants of the malware.

In addition to the above tools, Symantec said it has seen evidence of Daggerfly’s ability to Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS.