Evasive Panda’s Malicious Campaign Exploits Software Update Channels

Evasive Panda’s Malicious Campaign Exploits Software Update Channels

Evasive Panda’s malicious campaign uses the update channels of legitimate Chinese applications to deliver their infamous backdoor, MgBot malware, to unsuspecting victims.

Researchers at ESET have recently uncovered a new cyber attack campaign linked to the notorious APT group Evasive Panda.

The team’s trademark is the use of the custom MgBot modular malware framework, which is able to receive addons components on the move to expand its intelligence-gathering capabilities.

Know about Evasive Panda?

Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group actively targeting individuals and government entities across multiple countries since at least 2012.Their previous targets include China, Macao, Nigeria, and Southeast and East Asian countries.

The latest Evasive Panda’s malicious campaign mostly concentrated in the Gansu, Guangdong, and Jiangsu provinces of China, focusing on members of an international NGO operating within two of these provinces.

However, it points to one of two scenarios, a supply chain compromise of Tencent QQ’s update servers or an adversary-in-the-middle case , as reported by Kaspersky in June 2022, involving a Chinese hacking crew named LuoYu.

According to the report, the malware used by Daggerfly in the recent campaign is highly sophisticated and difficult to detect.


10FB52E4A3D5D6BDA0D22BB7C962BDE95B8DA3DDwcdbcrk.dllWin32/Agent.VFTMgBot information stealer plugin.
E5214AB93B3A1FC3993EF2B4AD04DFCC5400D5E2sebasek.dllWin32/Agent.VFTMgBot file stealer plugin.
D60EE17418CC4202BB57909BEC69A76BD318EEB4kstrcs.dllWin32/Agent.VFTMgBot keylogger plugin.
2AC41FFCDE6C8409153DF22872D46CD259766903gmck.dllWin32/Agent.VFTMgBot cookie stealer plugin.
0781A2B6EB656D110A3A8F60E8BCE9D407E4C4FFqmsdp.dllWin32/Agent.VFTMgBot information stealer plugin.
9D1ECBBE8637FED0D89FCA1AF35EA821277AD2E8pRsm.dllWin32/Agent.VFTMgBot audio capture plugin.
22532A8C8594CD8A3294E68CEB56ACCF37A613B3cbmrpa.dllWin32/Agent.ABUJMgBot clipboard text capture plugin.
970BABE49945B98EFADA72B2314B25A008F75843agentpwd.dllWin32/Agent.VFTMgBot credential stealer plugin.
8A98A023164B50DEC5126EDA270D394E06A144FFmaillfpassword.dllWin32/Agent.VFTMgBot credential stealer plugin.
65B03630E186D9B6ADC663C313B44CA122CA2079QQUrlMgr_QQ88_4296.exeWin32/Kryptik.HRRIMgBot installer.

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!