China’s ‘Evasive Panda’ APT Debuts High-End Cloud Hijacking

by CybrGPT
0 comment

The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a sleek, professional post-compromise toolset that retrieves data from various cloud services by leveraging stolen Web session cookies.

That’s according to researchers at ESET, who uncovered CloudScout while investigating a pair of past breaches in Taiwan (targeting a religious institution and a government entity).

CloudScout is written in .NET, and it’s designed to work seamlessly with MgBot, Evasive Panda’s proprietary malware framework. Via a plug-in architecture, MgBot feeds CloudScout previously stolen cookies, which it then uses to access and infiltrate data from the cloud, using the pass-the-cookie technique to hijack authenticated sessions from Web browsers.

ESET researchers observed individual CloudScout modules targeting Google Drive, Gmail, and Outlook, but in all, they believe Evasive Panda has developed modules for attacks on least 10 different cloud apps.  

“These modules are designed to access public cloud services … by hijacking authenticated Web sessions,” according to ESET’s analysis, released on Oct. 28. “This technique relies on stealing cookies from a Web browser database, then using them in a specific set of Web requests to gain access to cloud services,” thus avoiding authentication checks like two-factor authentication (2FA) and IP tracking.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

After authentication, the CloudScout modules use a set of hardcoded Web requests, as well as complex HTML parsers to identify and extract any data of interest from Web responses, such as email folder listings and email messages. Once the data is collected, it’s compressed into a .zip archive that can then be exfiltrated by either MgBot or another proprietary backdoor called Nightdoor.

Chinese APT Hones Cyberespionage Arsenal

Evasive Panda (aka Bronze Highland, Daggerfly, or StormBamboo) is an advanced persistent threat (APT) that’s been operating since at least 2012, focused mainly on cyber espionage against civil society targets.

These include “independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China,” ESET researchers noted. “At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea.” It has also been seen targeting a handful of victims in Nigeria.

The Chinese APT is known for consistently evolving its cyberattack techniques, but the latest iteration is notable in its sophistication, the researchers wrote.

Related:‘SloppyLemming’ APT Abuses Cloudflare Service in Pakistan Attacks

According to ESET, “The professional design behind the CloudScout framework … demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations.”



Source link

You may also like

Leave a Comment

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.