A Beijing-linked state-sponsored hacking group known as Daggerfly has reportedly targeted entities in Taiwan and a U.S. NGO operating in China. The group employed an enhanced malware toolkit in this operation.
According to a survey, Daggerfly is involved in domestic espionage activities as well. The report notes that the attackers exploited an Apache HTTP server vulnerability to deploy their MgBot malware against one of the targeted organizations.
The hacking group Daggerfly, which also goes by the names Bronze Highland and Evasive Panda, has been active since 2012. Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption.
The recent attacks attributed to Daggerfly feature two key malware components:
- A new malware family derived from MgBot
- An upgraded version of MACMA, a known Apple macOS malware
MACMA was initially uncovered by Google’s Threat Analysis Group (TAG) in November 2021. At that time, it was being spread through watering hole attacks that exploited Safari browser vulnerabilities to target Hong Kong internet users.
This malware, which can collect sensitive data and execute arbitrary commands, had not previously been associated with any specific hacking group. The current findings represent the first instance of MACMA being directly linked to a particular threat actor.
“The actors behind macOS.MACMA at least were reusing code from ELF/Android developers and possibly could have also been targeting Android phones with malware as well,” SentinelOne noted in a subsequent analysis at the time.
MACMA’s link to Daggerfly is evidenced by:
1. Shared source code with MgBot
2. Use of a common C2 server (103.243.212[.]98) also used by a MgBot dropper
Daggerfly’s toolkit now includes Nightdoor (aka NetMM/Suzafk), a malware using Google Drive API for C2. It’s been targeting Tibetan users via watering hole attacks since September 2023, as reported by ESET in March.
