MgBot Malware

The advanced persistent threat (APT) group referred to as Evasive Panda has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ.

The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity commenced in November 2020 and continued throughout 2021.

Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of cyber espionage attacks targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012.

The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities.

Some of the prominent capabilities of the C++-based malware include stealing files, logging keystrokes, harvesting clipboard data, recording audio streams, and credential theft from web browsers.


ESET, which discovered the campaign in January 2022 after a legitimate Chinese application was used to deploy an installer for the MgBot backdoor, said the targeted users were located in the Gansu, Guangdong, and Jiangsu provinces and are members of an unnamed international NGO.

The trojanized application is the Tencent QQ Windows client software updater ("QQUrlMgr.exe") hosted on the domain "update.browser.qq[.]com." It's not immediately clear how the threat actor managed to deliver the implant through legitimate updates.

MgBot Malware

But it points to either of the two scenarios: a supply chain compromise of Tencent QQ's update servers or a case of an adversary-in-the-middle (AitM) attack, as detailed by Kaspersky in June 2022 involving a Chinese hacking crew dubbed LuoYu.

In recent years, many a software supply chain attack has been orchestrated by nation-state groups from Russia, China, and North Korea. The ability to gain a large malicious footprint quickly has not been lost on these attackers, who are increasingly targeting the IT supply chain to breach enterprise environments.


"AitM styles of interception would be possible if the attackers – either LuoYu or Evasive Panda – were able to compromise vulnerable devices such as routers or gateways," Muñoz elaborated.

"With access to ISP backbone infrastructure – through legal or illegal means – Evasive Panda would be able to intercept and reply to the update requests performed via HTTP, or even modify packets."

This is significant as the findings come less than a week after Broadcom-owned Symantec detailed attacks mounted by the threat actor against telecom service providers in Africa using the MgBot malware framework.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.