Chinas Evasive Panda APT Spies on Taiwan Targets Across Platforms

The cohorts variety of individual tools covers just about any operating system it could possibly wish to attack.

A Chinese advanced persistent threat (APT) is upgrading its espionage capabilities by developing and iterating on malware across operating systems (OSes).
Evasive Panda — which Symantec tracks as Daggerfly
in a new blog post
— has been known to target telecommunications companies, government agencies, nongovernmental organizations (NGOs), universities, and private individuals of interest to the Chinese state. Recently it has carried out a handful of attacks against similar targets, mostly located in Taiwan, plus one American NGO based in China.
Though its victims are predictable, the platforms it targets for its chicanery are varied. Besides Windows and macOS, Symantec found evidence of Evasive Panda Trojanizing Android Package Kits (APKs), developing SMS and DNS request interception tools, and developing malware families around Linux and even Solaris OS.
Their ability to develop malware for multiple different platforms is noteworthy, says Dick OBrien, principal intelligence analyst for the Symantec threat hunter team. Its not uncommon to see APT groups targeting two or three different platforms, but this group has the ambition and the skills to target every major platform, including some pretty niche ones like Solaris. That’s not something you see very often.
Evasive Panda is at least a decade old. To keep things fresh after that long a time, it develops and builds on a variety of custom malware tools designed for different operating systems. Underpinning them all is a shared library or framework.
Its best known tool incorporating this shared code is the modular MgBot malware. MgBot has been used recently in attacks against the China-based American NGO, an African telecoms operator in 2023, and
watering hole attacks late last year
, where it worked alongside a newer tool, Nightdoor, tracked by Symantec as Trojan.Suzafk.
Nightdoor is loaded onto newly infected systems alongside the legitimate DAEMON Tools Lite program for creating and mounting virtual disk drives, and a dynamic link library (DLL) that establishes persistence via scheduled tasks. The final payload — a multistage backdoor — uses TCP or OneDrive for command-and-control (C2), and comes embedded with the open source (OSS) tool
al-khaser
. Al-khaser markets itself as a proof-of-concept (PoC) application that aims to stress your anti-malware system by incorporating various anti-analysis tricks.
When Evasive Panda wants to attack a Mac, it uses
Macma
, a backdoor celebrating a half-decade in the wild this year. Like its Windows cousins, Macma has been used in various watering hole attacks. In 2021, for instance, it was
deployed against media and protestors
fighting for an independent Hong Kong. It can fingerprint devices, upload and download files from them, capture keystrokes, screenshots, and audio, and more.
Recently, on top of developing new backdoors, Evasive Panda has updated Macma in a variety of mostly minor ways. That, OBrien says, shows evidence of ongoing, iterative development. While some of these tweaks may help in avoiding detection, by subtly altering the malwares fingerprint, the main thing this tells us is that they have that capacity for continuous development, where they can continually roll out new versions, making small improvements and fixing bugs.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinas Evasive Panda APT Spies on Taiwan Targets Across Platforms