Chinese state-sponsored hacking group “Daggerfly” has launched sophisticated cyberattacks against organizations in Taiwan and a U.S. non-governmental organization (NGO) operating in China. This campaign employs upgraded malware tools, highlighting the group’s expanding espionage activities.
According to a newly published report by Symantec’s Threat Hunter Team, part of Broadcom, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware. The report suggests that the group engages in both external and internal espionage.
Active since 2012, Daggerfly, also known as Bronze Highland and Evasive Panda, was previously observed using the MgBot modular malware framework for intelligence-gathering missions targeting telecom service providers in Africa.
Symantec noted, “Daggerfly demonstrates an ability to quickly adapt its toolset in response to exposure, allowing it to continue espionage activities with minimal disruption.”
Recent attacks feature a new malware family based on MgBot and an enhanced version of the Apple macOS malware called MACMA. First exposed by Google’s Threat Analysis Group (TAG) in November 2021, MACMA was initially distributed via watering hole attacks exploiting security flaws in the Safari browser to target internet users in Hong Kong.
MACMA is capable of harvesting sensitive information and executing arbitrary commands. This is the first time it has been explicitly linked to a specific hacking group. SentinelOne’s subsequent analysis indicated that macOS.MACMA reused code from ELF/Android developers and possibly targeted Android phones with malware.
Connections between MACMA and Daggerfly are evidenced by source code overlaps between MACMA and MgBot, and their use of a common command-and-control (C2) server (103.243.212[.]98) also utilized by a MgBot dropper.
Daggerfly’s arsenal includes another new malware, Nightdoor (also known as NetMM and Suzafk), which uses Google Drive API for C2. Nightdoor has been used in watering hole attacks targeting Tibetan users since at least September 2023, with details first documented by ESET in March.
“The group has shown the capability to create versions of its tools targeting major operating system platforms,” Symantec stated, noting evidence of tools for trojanizing Android APKs, intercepting SMS, manipulating DNS requests, and targeting Solaris OS.
This development follows claims by China’s National Computer Virus Emergency Response Center (CVERC) that Volt Typhoon – attributed by the Five Eyes nations as a China-linked espionage group – is a fabrication by U.S. intelligence agencies. CVERC described it as a misinformation campaign aimed at discrediting China, sowing discord between China and other countries, hindering China’s development, and exploiting Chinese companies.