A Chinese advanced persistent threat (ATP) actor tracked as Evasive Panda has been observed targeting Tibetans in watering hole and supply chain attacks, cybersecurity firm ESET reports.
Also referred to as Bronze Highland and Daggerfly, Evasive Panda has been active since at least 2012, historically targeting government entities in China, India, and various Asian countries to conduct cyberespionage operations.
Over the past half a year, the APT has been targeting Tibetans in multiple countries in a watering hole attack that leverages the compromised website of the Monlam Festival’s organizer to infect visitors with malware based on their IP addresses.
A script on the website belonging to Indian organization Kagyu International Monlam Trust, which promotes Tibetan Buddhism, verifies the visitor’s IP and serves them a malicious downloader.
Analysis of the script has revealed that users in Australia, India, Hong Kong, Taiwan, and the United States were targeted, including individuals using the Georgia Institute of Technology’s network.
In September 2023, Evasive Panda compromised the website of an Indian company that builds Tibetan language translation applications to disseminate trojanized applications delivering Windows and macOS downloaders. On Windows, the infection would lead to Nightdoor or MgBot (a known Elusive Panda backdoor).
The Nightdoor backdoor has been in use since at least 2020, when it was deployed against an organization in Vietnam. It can collect system and disk drive information, collect information on applications and running processes, create a reverse shell, and manipulate and delete files.
The same site, along with the website of the Tibetan news outlet Tibetpost, was also used to host malicious payloads, including backdoors for Windows and numerous payloads targeting macOS users.
Advertisement. Scroll to contin ..
Support the originator by clicking the read the rest link below.
