← threatfilter.dev / all groups / Daggerfly
Daggerfly
Also known as: Evasive Panda · BRONZE HIGHLAND
Overview
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.
Targets
Government · Individuals · Universities
Regions
Hong Kong · India · Macao · Malaysia · Nigeria · Taiwan
Capabilities
- Supply-chain compromise — ATT&CK T1195.002
- Custom malware/implant development — ATT&CK: 4 attributed custom malware families
TTPs — 17 techniques across 9 tactics
Resource Development
-
T1584.004Server -
T1587.002Code Signing Certificates
Initial Access
-
T1189Drive-by Compromise -
T1195.002Compromise Software Supply Chain
Execution
-
T1053.005Scheduled Task -
T1059.001PowerShell -
T1204.001Malicious Link
Persistence
-
T1136.001Local Account
Stealth
-
T1036.003Rename Legitimate Utilities -
T1218.011Rundll32 -
T1574.001DLL
Defense Impairment
-
T1553.002Code Signing
Credential Access
-
T1003.002Security Account Manager
Discovery
-
T1012Query Registry -
T1082System Information Discovery
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Tools & malware (6)
PlugX · MgBot · BITSAdmin · MacMa · Nightdoor · Reg
Reporting (3)
- Daggerfly: Espionage Group Makes Major Update to Toolset — Threat Hunter Team
- Evasive Panda leverages Monlam Festival to target Tibetans — Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé
- Evasive Panda APT group delivers malware via updates for popular Chinese software — Facundo Muñoz