A sophisticated cyber-espionage campaign by the China-aligned APT group Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) has been observed targeting Tibetans across various countries and territories.
The operation, which has been ongoing since at least September 2023, exploits both a targeted watering hole tactic and a supply-chain compromise involving trojanized installers of Tibetan language translation software.
According to a technical write-up published by ESET researchers today, the attackers strategically leveraged the Monlam Festival, a significant religious gathering, to target individuals associated with Tibetan Buddhism.
By compromising the festival organizer’s website, they orchestrated a watering hole attack, specifically targeting users connecting from specific networks. This tactic involved injecting malicious code into the website, leading visitors to unwittingly download trojanized software.
“In addition to this, the attackers also abused the same website and a Tibetan news website called Tibetpost – tibetpost[.]net – to host the payloads obtained by the malicious downloads, including two full-featured backdoors for Windows and an unknown number of payloads for macOS,” ESET wrote.
These installers were designed to deploy malicious downloaders, further facilitating the infiltration of victims’ systems.
The security researchers underscored the sophistication of the campaign because Evasive Panda, active since at least 2012, deployed various malicious downloaders and backdoors, including a previously undocumented backdoor for Windows named Nightdoor.
“The attackers fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by Evasive Panda – and Nightdoor: the latest major addition to the group’s toolkit and which has been used to target several networks in East Asia,” reads the advisory.
By exploiting vulnerabilities in both web infrastructure and software supply chains, the attackers aimed to infiltrate networks and compromise targeted individuals. The campaign’s timing, coinciding with the Monlam Festival, suggests a strategic effort to capitalize on increased online activity during this period.
For more detailed information, including Indicators of Compromise (IoCs) and samples, visit the ESET GitHub repository.